[redhat-lspp] LSPP/RBACPP requirements v.002
Chad Hanson
chanson at TrustedCS.com
Wed Sep 28 21:57:20 UTC 2005
>
> Going back to the requirement document posted by George, it says for
> this item: ""Patch xinetd to obtain label from inbound connections and
> spawn child daemons with correct context." To me, that means that
> xinetd is computing a context based on the inbound connection label
> (likely using the level from it in combination with the usual
> security_compute_create computation to get the domain transition). I
> think that the idea is that if you connect to a server running at
> secret, the service is run at secret as well automagically. Which
> sounds nice in some cases, but not necessarily what you want always.
>
The desired behavior is to spawn off a process at the level of the incoming
packet. This is true since MLS policy is adverse to changing labels. An
example of a few insecure protocols, such as telnet or ftp, would have them
start daemons at the incoming label. It would break the policy of the
connected network to have these daemons spawn at higher or lower level as
the would cause an upgrade/downgrade of data from the client to the server.
These controls should be in place on network logins also, as allowing
someone the ability to access data of label greater than network would cause
problems IMHO.
I have attached an xinetd patch which shows the concepts, but isn't entirely
applicable to the current code base. We are currently working from a
baseline which has labeled skb buffers and the patch code utilizes these
features. We are working to eliminate these features from our kernel as we
can find acceptable alternatives to this technology. Even with IPSEC, the
low level network controls are still weak since the LSM neutering the
earlier network hooks.
We are continuing to investigate ways to handle these deficiencies.
-Chad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xinetd.patch
Type: application/octet-stream
Size: 3818 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20050928/a6acf8aa/attachment.obj>
More information about the redhat-lspp
mailing list