[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[redhat-lspp] Updated requirements



Attached is an updated version of the LSPP requirements documentation 
following the recent concall.

If anyone has any updates, please send them to me and I can update the 
document.


- James
-- 
James Morris
<jmorris redhat com>

-----------------------------------------------------------------------------
LSPP Requirements - Version 001

Red Hat Confidential
-----------------------------------------------------------------------------

(Note: 'updated' here means 'updated to support MLS').

1) Standard/reference MLS policy (for Fedora initially).

 - FM: Object labeling a challenge: for applications which
   need read and write access to system files.
   
 - TCS: can supply developmental policy to get the system up
   and running.
   
 - Server based policy.
   
 - Iterative development of ST and Policy.

 AAs: 
  - TCS working policy
  - LSPP policy
  - Fedora policy

 
2) Updated SELinux system tools (e.g. runcon).

  - Probably quite a lot of work.

  AAs:
    - Detailed list of requirements, map to certification, e.g.
      which ones are security enforcing.


3) Updated libraries (label handling APIs, LEF glue, etc).

  - Dummy translator. [TCS working on one].
  - PAM
  - NSA: Adjudication interface out of libsepol?
     TCS: not required but nice to have.
     
  AAs:
    - Need detailed list.


4) Updated OS utilities (e.g. cron).

  - TCS: multi-level cron, nice to have.
    - Can send it out.
    - Depends on their polyinstantiation code, but should be
      simple to change to namespaces.
  - TCS: xinetd?
    
  AAs:
    - Need detailed list.

    
5) Updated applications (e.g. MTA?).

  - FDP_ETC.2 would apply to MTA.
  - TCS: keep it simple, single level, use some other
    method to move it to other levels.
  - SSH ?  TCS: can run multiple instances (also useful
    as general solution).
    
  - IBM: Postfix is in CAPP.
    - Needed for some systems management.
    - TCS: how to deliver messages?
    - IBM: open question.

  AAs:
   - Analyze & resolve MTA issues.

     
6) Directory polyinstantiation (via namespaces?).

  - TCS: may not be required in new LSPP but life difficult without
    it.
  - Definitely need & have prototype with upstream buy-in for unshare(2).
  - RH: will be doing anyway.

  AAs:
    - Who owns this?  

7) Labeled networking (via IPsec).

  - TCS: need to clarify what we claim
    - desired trusted networking over the wire
    - don't support routing
    - support trusted apps across the network.
    - a lot of the machines don't talk to each other anyway.
    
  - IBM working on IPsec based solution.
  
  - A lot depends on how we define the environment.
  
  AAs:
    - Upstream & integrate IPsec stuff.
    - Develop certification strategy.

  
8) Polyintstantiated ports (via redirection).  Still not entirely sure how
important this is.

  - Not LSPP requirement.


9) Improved SAK support.

  - Not LSPP requirement.
  - TSOL has this.
  
  AAs:
  - TCS/NSA elaborate on something simple + useful.


10) Labeled printing.

  - Explicitly required by LSPP.
  - Running headers and footers.
  - Postscript can be problematic (forbid ps, modify ps driver, modify ps etc.)
  - Needs work.
  - RH not experts.
  
  AAs:
    - Who owns this?


11) Device allocation support.

  - TCS: have a device allocation command framework,
    can be sent out.

  - Allocation command changes DAC & MAC label on device.
    - Audit shows allocation & deallocation, e.g. for a floppy.
    - Can't happen automatically, e.g. no automount of CD,
      must be manual.

  - Need to define what is considered removable devices.
  - PAM?
  
  
  AAs:
    - TCS can elaborate requirements/design.
    - Trace LSPP requirements.


12) Network filesystem support: not needed for LSPP but SMB probably 
useful, less complicated than NFS.

  - Not needed for LSPP.
  - TCS may use ssh or scp for file transfer.
  

13) More user customizable object labeling support, e.g. for
    network interfaces.

  - TCS: may not be needed?
  - NSA: may want to be able to customize network labels without tweaking
    policy.  Not sure if work is happening.

  AAs:
    - Need to determine requirements for LSPP/procurement.


14) Updated audit support.

  AAs:
    - Needs detailed elaboration.

15) Better revocation (e.g. for mmap'd files).

  - FM: good idea but difficult and not needed for certification, where
    we can probably assume static policy and relabeling only by trusted
    applications.

  - IBM: immediate termination of user's session when account is revoked. 
    (FMT_REV.1)

  - May be needed for time-based roles (e.g. role valid for 90 days, SE
    rules modified & policy reload).
  
  - Not an LSPP issue.

  AAs:
    - Determine what is needed for procurement.


16) Extendsion of RBAC support has been discussed.

  - IBM: wants competitive certifcation against RBACPP.
  - TCS: differentiate between sysadmin and secadmin.
  - IBM: self-test utility required, amtu.

  AAs:
    - What is the scope of this?  Do we aim for LSPP first and do this
      as a further phase, or do both at the same time?

17) TCS: May need explicit labeling of pseudo filesystems.

  AAs:
    - Trace to LSPP requirements.


18) IBM: SELinux and MLS testing (test case development) at the EAL4 level

  - Quite a lot of work
  - Joy Latten has been working on functional coverage of SELinux.



19) IBM: Usability of the final solution

  - More info needed.


20) IBM Evidence creation (HLD, LLD, FSP, Correspondence, VA, admin & user guides, test plan)

  - A lot of documentation needed.
    - must include new selinux commands etc.

----------------------------------------------------------------------------- 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]