[redhat-lspp] LSPP work items
Steve Grubb
sgrubb at redhat.com
Wed Oct 5 10:29:26 UTC 2005
On Tuesday 04 October 2005 23:11, James Morris wrote:
> > 3 Kernel - Audit related
> > 3.1 Create new audit record types for: rlimit violations, lspp subject,
> > lspp object, crypto, anomolies, and response to anomolies.
>
> What do you mean by crypto here?
I am wanting to start getting the hooks in place for Medium Robustness. It
says: Cryptography Admin role shall exist, Anything that inits the crypto,
changing any of its params, algorithm modes, and selection of the algorithm
shall require Crypto Admin role.
I was intending to start putting the message types in the audit header files
so that we can use them later.
> > 4.3 When role data base is offline, corrupt, or unaccessable, the system
> > shall preserve a secure state (R/FPT_FLS.1)
>
> What exactly does corrupt mean here: invalid file format or valid file
> format with incorrect data?
I guess both.
> > 5 Kernel Export/Import of Data
> > 5.1 Export of Data (FDP_ETC)
> > 5.1.1 Export is controlled by MAC policy
> > 5.1.2 unlabeled data stays unlabeled
>
> All data is labeled under SELinux in the kernel, but not necessarily
> persistently. e.g. if you context mount an unlabeled partition, the
> entire partition will be labeled while mounted but no labels will be
> written to disk.
LSPP says that if its unlabeled, it stays unlabeled unless explicitly labeled
by the admin.
> > 5.1.5 security mechanisms must be provided to the data that are exported
> > by devices to media that do not have labels with the actual data
>
> What does this mean? Being able to differentiate access in policy based
> on the labeling behavior of the device? SELinux policy has no such
> construct.
Good question. We've had a few discussions but no conclusions. It could be
encrypted, for example. But does that mean we have FIPS requirements now? How
we meet this needs discussion.
> > 8.6 newrole made into suid program so that it can send audit messages
>
> Why not instead define SELinux policy for the domain newrole runs in?
> (nlmsg_relay ?)
We simply need CAP_AUDIT_WRITE. I was planning to drop capabilities on start
up.
> Don't we also need some way to handle local mail delivery for different
> levels?
Yes. Were we going to use postfix or just procmail?
-Steve
More information about the redhat-lspp
mailing list