Role and label selection question

[Ilmar S. Habibulin]

In my old MLS implemetation i've used special db for storing user mac
labels. It was simple implementation, so each user had exactly one label
specified. If there was no user record, the default label (SYSLOW) was
assigned. I think, that multilabel db i much more useful. It can be
something like /etc/group with the first label to be used as a default
label for non-interactive activities (such as cron for ex.). Also we must
supply possibility to specify needed label to such non-interactive jobs
(from the range of user permitted labels of cause).

Another my opinion - /etc/capability should be merged into
/etc/login.conf. Users' initual capabilities are more closer to resource
limits, so i think, that situations, when each of 10000 users of some
system has different initial capabilities are verrry rear or nonsence at
all.

Now to the MAC labels assignement again. We can use PAM and PAMed
applications to ask for desireable label for user session. So every app
would use one trusted authentication module, which would know about label
ranges, defaults, choises, etc. I think, that it is hard to figure
everything out. We need some initial implementation of working
environment in order to look at its' merits and demerits.

Shell daemons needs very close investigation and possibly rewrites. I was
trying to use telnet session with network labeling enabled. Its funny, but
telnetd uses root privileges to make interaction between login shell and
remote client, so there was no flow control possible. It's just my
experiment, maybe with capabilities this would go away.

And i think, that audit must be integrated in cap and mac branches asap.



To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message