[redhat-lspp] dev_allocator, udev and import/export requirements

[Steve Grubb]

On Wednesday 07 September 2005 17:34, Janak Desai wrote:
> I have been looking at udev and TCS dev_allocator and I have some
> questions.

Me too. What is the real need for this utility? Does it play nicely with 
lockdev? How does it differ from just doing a chcon on the device?

> Are there patches to CUPS, login, star, etc that enforce the sensitivity
> label ranges stored in the dev_allocator.conf file?

This should be the responsibility of the OS to compare labels

> LSPP requires that the TOE contain a mechanism by which an
> admin can assign security attributes to devices (single level
> or a range in case of multi-level).

chcon does this for example. The audit system should be configured to hook 
setxattr for the devices of the machine to generate audit records. No 
userspace utility should have to do that.

> These attributes are then used in the enforcement of MAC policy when
> users/programs use these devices. I am trying to get a handle on what we
> have to patch in order to satisfy LSPP import/export requirements with
> respect to terminals, printers and removable devices.

I'm wondering if we have to patch anything. How does this utility differ from 
chcon + audit setup to get setxattr events? Allowing write to unlabeled or 
read from unlabeled device could be enforced by policy. this way it has to be 
chcon'd in order to be accessible. A boolean could override that. Changing 
the boolean should be an auditable event.

-Steve