[redhat-lspp] LSPP Development Telecon 01/15/2007 Minutes

[Casey Schaufler]

--- Linda Knippers <linda.knippers at hp.com> wrote:


> There seems to be an issue with xinetd and ssh in
> the unlabeled
> networking case.  Sounds like xinetd gets confused
> with the context?
> Is the suggestion to have xinetd default to some
> level above systemlow,
> which would be the same default level for normal
> users?  Sounds
> reasonable that the two would have the same default
> but I don't
> understand why it matters what the specific level
> is.  Is that
> related to the mail from Casey, Joe and others about
> the default
> level for existing MLS operating systems or is there
> a technical
> issue with default level for regular users the way
> it is?

Past experience has been that a network
interface has to be treated as either a
multi lable device with labeled packets or
as a single label device. A network
interface that does not label packets is
restricted to one and only one label.
That means that all logins across that
interface must be restricted to that label
for an evaluable configuration*. If your
xinetd and/or sshd allow logins at more
than one label through an interface that
does not label packets you will fail in
your evaluation. If sshd uses the user's
default MLS value for "unlabeled" networks
and that is not the label assigned that
interface your system does not meet the
LSPP requirements.

-----
* Yes, Unix MLS systems often allowed this
  evil behavior, but never in an evaluated
  configuration.


Casey Schaufler
casey at schaufler-ca.com