[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [redhat-lspp] What is the preferered way of setting a machines maximum sensitivity?
- From: Casey Schaufler <casey schaufler-ca com>
- To: Daniel J Walsh <dwalsh redhat com>, redhat-lspp <redhat-lspp redhat com>, Stephen Smalley <sds tycho nsa gov>, Chad Hanson <chanson TrustedCS com>
- Cc:
- Subject: Re: [redhat-lspp] What is the preferered way of setting a machines maximum sensitivity?
- Date: Fri, 16 Jun 2006 13:15:53 -0700 (PDT)
--- Daniel J Walsh <dwalsh redhat com> wrote:
> We need to be able to set the maximum login
> sensitivity on a machine in
> such a way that the login programs and
> network aware applications enforce this. How do you
> go about doing this?
In the unix days we addressed this issue
by only allowing logins with MLS labels
that had explicitly defined names. Since
dominance is not strictly heirarchical you
could of course have multiple "maximum"
labels if you (have and) ignore SYSTEM_HIGH.
For example, on Trusted Irix sensitivities of:
secret,alpha,beta
unclassified
would be allowed, where
secret,1,25
36
would not. Details of how the mappings are
done are to be found elsewhere.
Since all sensitivity values that can be
logged into are specified you don't have to
worry about calling out a maximum any
differently.
BTW, this came about because our B1 evaluation
team didn't want to see numeric values on the
T&B labels of printed documents, another issue
y'all may encounter before long.
Casey Schaufler
casey schaufler-ca com
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]