[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[redhat-lspp] Updated requirements

Attached is an updated version of the LSPP requirements documentation 
following the recent concall.

If anyone has any updates, please send them to me and I can update the 

- James
James Morris
<jmorris redhat com>

LSPP Requirements - Version 001

Red Hat Confidential

(Note: 'updated' here means 'updated to support MLS').

1) Standard/reference MLS policy (for Fedora initially).

 - FM: Object labeling a challenge: for applications which
   need read and write access to system files.
 - TCS: can supply developmental policy to get the system up
   and running.
 - Server based policy.
 - Iterative development of ST and Policy.

  - TCS working policy
  - LSPP policy
  - Fedora policy

2) Updated SELinux system tools (e.g. runcon).

  - Probably quite a lot of work.

    - Detailed list of requirements, map to certification, e.g.
      which ones are security enforcing.

3) Updated libraries (label handling APIs, LEF glue, etc).

  - Dummy translator. [TCS working on one].
  - PAM
  - NSA: Adjudication interface out of libsepol?
     TCS: not required but nice to have.
    - Need detailed list.

4) Updated OS utilities (e.g. cron).

  - TCS: multi-level cron, nice to have.
    - Can send it out.
    - Depends on their polyinstantiation code, but should be
      simple to change to namespaces.
  - TCS: xinetd?
    - Need detailed list.

5) Updated applications (e.g. MTA?).

  - FDP_ETC.2 would apply to MTA.
  - TCS: keep it simple, single level, use some other
    method to move it to other levels.
  - SSH ?  TCS: can run multiple instances (also useful
    as general solution).
  - IBM: Postfix is in CAPP.
    - Needed for some systems management.
    - TCS: how to deliver messages?
    - IBM: open question.

   - Analyze & resolve MTA issues.

6) Directory polyinstantiation (via namespaces?).

  - TCS: may not be required in new LSPP but life difficult without
  - Definitely need & have prototype with upstream buy-in for unshare(2).
  - RH: will be doing anyway.

    - Who owns this?  

7) Labeled networking (via IPsec).

  - TCS: need to clarify what we claim
    - desired trusted networking over the wire
    - don't support routing
    - support trusted apps across the network.
    - a lot of the machines don't talk to each other anyway.
  - IBM working on IPsec based solution.
  - A lot depends on how we define the environment.
    - Upstream & integrate IPsec stuff.
    - Develop certification strategy.

8) Polyintstantiated ports (via redirection).  Still not entirely sure how
important this is.

  - Not LSPP requirement.

9) Improved SAK support.

  - Not LSPP requirement.
  - TSOL has this.
  - TCS/NSA elaborate on something simple + useful.

10) Labeled printing.

  - Explicitly required by LSPP.
  - Running headers and footers.
  - Postscript can be problematic (forbid ps, modify ps driver, modify ps etc.)
  - Needs work.
  - RH not experts.
    - Who owns this?

11) Device allocation support.

  - TCS: have a device allocation command framework,
    can be sent out.

  - Allocation command changes DAC & MAC label on device.
    - Audit shows allocation & deallocation, e.g. for a floppy.
    - Can't happen automatically, e.g. no automount of CD,
      must be manual.

  - Need to define what is considered removable devices.
  - PAM?
    - TCS can elaborate requirements/design.
    - Trace LSPP requirements.

12) Network filesystem support: not needed for LSPP but SMB probably 
useful, less complicated than NFS.

  - Not needed for LSPP.
  - TCS may use ssh or scp for file transfer.

13) More user customizable object labeling support, e.g. for
    network interfaces.

  - TCS: may not be needed?
  - NSA: may want to be able to customize network labels without tweaking
    policy.  Not sure if work is happening.

    - Need to determine requirements for LSPP/procurement.

14) Updated audit support.

    - Needs detailed elaboration.

15) Better revocation (e.g. for mmap'd files).

  - FM: good idea but difficult and not needed for certification, where
    we can probably assume static policy and relabeling only by trusted

  - IBM: immediate termination of user's session when account is revoked. 

  - May be needed for time-based roles (e.g. role valid for 90 days, SE
    rules modified & policy reload).
  - Not an LSPP issue.

    - Determine what is needed for procurement.

16) Extendsion of RBAC support has been discussed.

  - IBM: wants competitive certifcation against RBACPP.
  - TCS: differentiate between sysadmin and secadmin.
  - IBM: self-test utility required, amtu.

    - What is the scope of this?  Do we aim for LSPP first and do this
      as a further phase, or do both at the same time?

17) TCS: May need explicit labeling of pseudo filesystems.

    - Trace to LSPP requirements.

18) IBM: SELinux and MLS testing (test case development) at the EAL4 level

  - Quite a lot of work
  - Joy Latten has been working on functional coverage of SELinux.

19) IBM: Usability of the final solution

  - More info needed.

20) IBM Evidence creation (HLD, LLD, FSP, Correspondence, VA, admin & user guides, test plan)

  - A lot of documentation needed.
    - must include new selinux commands etc.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]