--- Paul Moore <[EMAIL PROTECTED]> wrote: > On Thursday, January 18 2007 7:07 pm, Casey > Schaufler wrote: > > --- Klaus Weidner <[EMAIL PROTECTED]> wrote: > > > The current system doesn't specifically support > > > single label interfaces > > > without labeled networking. > > > > That would imply that all networks are > > mutilabel with labeled networking. > > I believe that is the assumption for the current > LSPP evaluations, like it or > not.
A single label network is OK provided only traffic at one label is allowed across it. That's what we evaluated. > > > The sshd implementation > > > does support level > > > selection when not using labeled networking, but > > > obviously people will > > > need to use labeled networking when they expect > MLS > > > constraints to be > > > enforced on their network communication. > > > > That is unfortunately not the case. People > > will expect to hook thier MLS box onto a > > network with *gasp* Windows boxes, and > > expect to be able to log into the MLS box > > from the Windows boxes. If your sshd allows > > someone to log in at two different labels > > from the same Windows box I expect that > > you will have an issue with your evaluators > > because you have a device (e.g. eth0) that > > does not enforce MLS policy. > > Well, considering that we assume only labeled > networks/interfaces then we > don't really ever run into this problem True enough. > - if a machine is on the network it > is sending labeled packets. If you have unlabeled > networks you will need to > put some sort of guard/barrier/router/firewall in > place. I realize this is > far from ideal, but I tend to think it's a > reasonable first step. Any of which could be used to implement a single level network interface. > There are some things this first round of LSPP > evaluations are not going to > cover, but you have to draw the line somewhere > (there is some old adage about > shooting engineers, I can't remember it as I try to > block it out). I'm > confident we'll get it "right" but it's going to > take some time. In the > meantime we've still managed to pull something > together which works, will be > (knock on wood) RBAC/LSPP certified, and is somewhat > useful. Good plan. > This stuff ain't easy - you of all people know that > I'm sure :) It certainly isn't. Casey Schaufler [EMAIL PROTECTED] -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
