--- Linda Knippers <[EMAIL PROTECTED]> wrote:
> There seems to be an issue with xinetd and ssh in > the unlabeled > networking case. Sounds like xinetd gets confused > with the context? > Is the suggestion to have xinetd default to some > level above systemlow, > which would be the same default level for normal > users? Sounds > reasonable that the two would have the same default > but I don't > understand why it matters what the specific level > is. Is that > related to the mail from Casey, Joe and others about > the default > level for existing MLS operating systems or is there > a technical > issue with default level for regular users the way > it is? Past experience has been that a network interface has to be treated as either a multi lable device with labeled packets or as a single label device. A network interface that does not label packets is restricted to one and only one label. That means that all logins across that interface must be restricted to that label for an evaluable configuration*. If your xinetd and/or sshd allow logins at more than one label through an interface that does not label packets you will fail in your evaluation. If sshd uses the user's default MLS value for "unlabeled" networks and that is not the label assigned that interface your system does not meet the LSPP requirements. ----- * Yes, Unix MLS systems often allowed this evil behavior, but never in an evaluated configuration. Casey Schaufler [EMAIL PROTECTED] -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
