TrustedBSD Extensions Project (fwd)

richard offer offer at sgi.com
Thu Apr 20 22:55:43 GMT 2000 

* $ from rwatson at FreeBSD.org at "20-Apr: 1:23pm" | sed "1,$s/^/* /"
*
*
* On Tue, 11 Apr 2000, richard offer wrote:
*
* > * The mandatory access control components of TrustedBSD, as with other
* > * trusted operating systems, are intended to address the subject and object
* > * labeling requirements.  Specifically, all user data objects, and
subjects,
* > * are assigned security labels which limit the types of accesses that may
be
* > * performed.
* >
* > What are you intending to do for X ? Or are you only interested in the
server
* > problem space ?
*
* Sorry I missed this in the first round of comments, so figured I'd reply
* to it now (especially in light of your detailed TCB post) -- at this
* point, both based on the experience bases of those committing development
* time, and the immediate target audiences, support for MAC labeling in X is
* not on the agenda.  It has one of those "?"'s beside it :-).  In essence,
* at this point, we're targeting the server environment based on our own
* needs.
*
* That said, I think that having an implementation with integrated support
* for a workstation and management environment is very important.  If we can
* get a lot of this, ``for free'' by virtue of having consistent interfaces
* with the SGI Linux implementation, I'm all for that.  I'd also be very
* interested in drawing from other parts of the BSD community to identify
* developers with the right experience base, skills set, and interests to
* help on integration work with X Windows.

When I see some of the XFree86 developers at a face-to-face next month, I'm
going to bring it up. We may be able to contribute more code, but I've only
just thought of it (sans management discussion) and our X is completely
different to the sample implementation.

However if I'm right, before we can work on X we need something that has the
TSIX APIs implemented...they can return garbage, but they need to be there.

*
* One piece of support infrastructure that you point to as being required is
* TSIX, which to my (shallow) understanding is API and supporting
* standardization for tagging IPC channels with MAC labels (etc), both
* locally and across a network -- left out of POSIX.1e as POSIX doesn't
* attempt to address the sockets case.  Is this impression right, or am I
* thinking of something else?

That's my understanding (I'm really a client side X person faking it as Trust
person).

You may be interested in http://oss.sgi.com/projects/ob1/src/ (which I know has
been widely talked about), but there is an implementation of tsix (tsig) there,
both the user level library (LGPL) and the kernel component (GPL).

* Has interoperability been successfully
* demonstrated across trusted operating system platforms using mechanisms
* such as this?

That's my understanding.

* I'm far more confident about my understanding of the
* problem space in the context of a single OS on a single box, and less so
* in the network and cross-OS issues.

This is what makes it "interesting" :-)

*
*   Robert N M Watson
*


richard.


-----------------------------------------------------------------------
Richard Offer           Widget FAQ --> http://reality.sgi.com/widgetFAQ
MTS-Core Design (Motif)
___________________________________________http://reality.sgi.com/offer

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list