posix mac

Casey Schaufler casey at sgi.com
Wed Apr 14 17:16:25 GMT 1999 

Ilmar S. Habibulin wrote:

> Yes, that is nice idea. I don't know what is the starting point for posix
> standards,

It was SVR3, with heavy input from a little school near Oakland.

> but i suppose, that this 'starting point' must have network
> interconnection interfaces (api).

Nope. Sockets were introduced years into the process.

> So lack of sockets description (or some
> other network api) is a seriuos design flaw, imho.

Agreed. The lack of sockets in standards, security and otherwise,
has long been a primary battle cry for those who disparage standards.

> I'm speaking from MAC implementors point of view.
> Casey point me some network security efforts
> concerning MAC too.

http://www.tsig.org if you missed it.

> But at this point i think, that we should better limit
> network communications in the way that only unclassified persons
> (processes) can make network connections.

I'm not sure what you mean here. It is very important that network
connections enforce the system security policies, including MAC.
That pretty well requires that some mechanism be put in place to
propogate security attributes (uids, MAC, capabilities, ...) along
with network communications. The TSIX (from TSIG) scheme does this,
as does IPSEC. I suggest that IPSEC is the future, and that that be
the scheme which is used unless it proves fatally flawed.

> > POSIX.1e provides a good starting point and guidance: I personally don't
> I'm agree with that. But people worked hard for several years. Are they
> here? Can we discuss our problems?

I was technical editor on the POSIX draft for the last three years,
and was involved wit hit from the beginning. I have also implemented
MAC twice (Sun and SGI) and maintained it for the past ten years.
I am happy to discuss any issues, as my time allows.

> Ok, lets forget about decrement rule. But we've got missed _uncontroled_
> objects. They are sockets and SysV IPCs.

Sockets can be addressed per TSIG and/or IPSEC.
SysV IPC objects are simple if you adopt a policy that all accesses
require write access. This is true for semiphores and message queues,
and close enough for shared memory as to not matter.

> And i don't like that many things
> are "implementation defined" or "unspecified".

No one does. They are there because of the differences in vendor
solutions to problems "outside the scope" of POSIX. Examples:

	/dev/null
	/dev/tty
	/tmp
	what label to give audit trails
	what label to give system data
	how to represent "System High"


-- 

Casey Schaufler                         voice: (650) 933-1634
casey at sgi.com                           fax:   (650) 933-0170
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list