[redhat-lspp] LSPP Development Telecon 01/15/2007 Minutes
Casey Schaufler
casey at schaufler-ca.com
Fri Jan 19 00:07:23 UTC 2007
--- Klaus Weidner <klaus at atsec.com> wrote:
> The current system doesn't specifically support
> single label interfaces
> without labeled networking.
That would imply that all networks are
mutilabel with labeled networking.
> The sshd implementation
> does support level
> selection when not using labeled networking, but
> obviously people will
> need to use labeled networking when they expect MLS
> constraints to be
> enforced on their network communication.
That is unfortunately not the case. People
will expect to hook thier MLS box onto a
network with *gasp* Windows boxes, and
expect to be able to log into the MLS box
from the Windows boxes. If your sshd allows
someone to log in at two different labels
from the same Windows box I expect that
you will have an issue with your evaluators
because you have a device (e.g. eth0) that
does not enforce MLS policy.
Casey Schaufler
casey at schaufler-ca.com
More information about the redhat-lspp
mailing list