What's the status of the project?
Ilmar S. Habibulin
ilmar at ints.ru
Tue Jun 12 19:36:08 GMT 2001
On Sun, 10 Jun 2001, Robert Watson wrote:
> TrustedBSD MAC: Initial implementation prototyped, but a
> reimplementation is underway relying on generic
> object labels, see below. This initial prototype
> enforced protections on processes and files, but
> didn't enforce protections regarding some forms
> of IPC or the network stack.
Local IPC objects are easy to protect. There are some issues, for ex., how
should sys V messages be labeled: like message or queue. But i think that
it is solvable problems.
Another one is passing labels over network connections inside packets. I
looked through FIPS 188, so i think, that CIPSO will be easily implemented
and work between TrustedBSD boxes just fine. But i don't know how to
achieve interoperability with other trusted systems. I have TSIG docs from
their www.tsix.org site, but there is not much. :(
> TrustedBSD Object Labels: Generic object labels abstract out
> protection behavior for kernel-maintained
> objects, allowing that behavior to be more
> easily substituted with new security
> models. Initial prototyping is underway,
> and we've successfully protected a number
> of kernel objects using them, as well
> as demonstrated compile-time
Did you look through my old patch, where i suggest to import part of
bitstring fuctionality into kernel? What do you think about it?
> TrustedBSD Auditing: On the drawing board still.
As i remember, i started your FreeBSD hardening project with POSIX 1e
audit implementation. ;-)))
PS. And what about your polygraph activities? Would we have an ability to
change MAC policies with labels on the fly?
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss