Whazup?

Robert Watson robert at cyrus.watson.org
Fri Apr 7 22:22:23 GMT 2000 

There's been a fair amount of discussion of the Linux implementations on
the POSIX.1e mailing list which I host.  POSIX.1e was the aborted effort
by a number of trusted operating system vendors to standardize POSIX API
extensions for features such as ACLs, Capabilities, Auditing, Information
Flow Labels, and MAC.

ACLs are not in the base Linux distribution at this point, although the
implementation is pretty mature.  Capabilities are in the Linux kernel,
but not supported in the file system, so applications typically are setuid
root, and then give up capabilities rather than gaining them by virtue of
the execution path.  I don't know of an auditing implementation; I know
that Tim Fraser at TIS Labs at Network Associates (a coworker of mine) has
a partial LOMAC implementation for Linux, but it was original developed on
FreeBSD and may be ported back there.

There's also word of the impending Type Enforcement implementation by
Secure Computing, Inc., under contract from NSA.  TIS also has a DTE
implementation for BSD/OS that is being ported to FreeBSD; I may be
helping out with that some over the next few months.

I'll be pushing out an announcement about TrustedBSD this weekend--please
feel free to review the web site and send me comments so I can make sure
everything is in order.


  Robert N M Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services


On Fri, 7 Apr 2000 jont at us.ibm.com wrote:

> I hope nobody would beat you up, look at you strangely maybe.
> 
> Of course if you hunt around lots of it is being attempted in the Linux
> space
>      - ACL's (ext3 & others)
>      - audit (SGI ?)
>      - least privilege [kernel 'capabilities' - note the quotes :-]
> (transmeta)
>      - extended security models [e.g. GFAC, type enforcement, ...]
> (several)
>      - C2 assurance (US govt)
> 
> The weak spot is documentation ...
> 
> - JonT
> 
> ---
> Jon Tidswell
> Advanced OS Technology Group / Sawmill Linux Project
> IBM TJ Watson Research Center 30 Saw Mill River Road, Hawthorne, N.Y. 10532
> 
> Email: jont at us.ibm.com   Voice: +1 914 784 7550
> 
> 
> Georg Thomas <georg at dtai.com>@cyrus.watson.org on 04/07/2000 04:01:05 PM
> 
> Sent by:  owner-trustedbsd-discuss at cyrus.watson.org
> 
> 
> To:   trustedbsd-discuss at trustedbsd.org
> cc:
> Subject:  Whazup?
> 
> 
> 
> Dear All,
>    My name is Georg Thomas. I have been involved with compartmented mode
> workstations and trusted operating systems for a long time, pretty much
> all on HP hardware. I've been down in the guts of pretty much everything
> - networking, file system, mac enforcement.
>    I'm pretty interested in this. How much would you folks beat me up if
> I said I was interested in doing a Linux implementation of this?
> 
> Georg Thomas
> To Unsubscribe: send mail to majordomo at cyrus.watson.org
> with "unsubscribe trustedbsd-discuss" in the body of the message
> 
> 
> 
> To Unsubscribe: send mail to majordomo at cyrus.watson.org
> with "unsubscribe trustedbsd-discuss" in the body of the message
> 

To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list