What's the status of the project?

Ilmar S. Habibulin ilmar at ints.ru
Tue Jun 12 19:36:08 GMT 2001


On Sun, 10 Jun 2001, Robert Watson wrote:

> TrustedBSD MAC:		Initial implementation prototyped, but a
> 			reimplementation is underway relying on generic
> 			object labels, see below.  This initial prototype
> 			enforced protections on processes and files, but
> 			didn't enforce protections regarding some forms
> 			of IPC or the network stack.
Local IPC objects are easy to protect. There are some issues, for ex., how
should sys V messages be labeled: like message or queue. But i think that
it is solvable problems.
Another one is passing labels over network connections inside packets. I
looked through FIPS 188, so i think, that CIPSO will be easily implemented
and work between TrustedBSD boxes just fine. But i don't know how to
achieve interoperability with other trusted systems. I have TSIG docs from
their www.tsix.org site, but there is not much. :(

> TrustedBSD Object Labels:	Generic object labels abstract out
> 				protection behavior for kernel-maintained
> 				objects, allowing that behavior to be more
> 				easily substituted with new security
> 				models.  Initial prototyping is underway,
> 				and we've successfully protected a number
> 				of kernel objects using them, as well
> 				as demonstrated compile-time
> 				extensibility.
Did you look through my old patch, where i suggest to import part of
bitstring fuctionality into kernel? What do you think about it?

> TrustedBSD Auditing:	On the drawing board still.
As i remember, i started your FreeBSD hardening project with POSIX 1e
audit implementation. ;-)))

PS. And what about your polygraph activities? Would we have an ability to
change MAC policies with labels on the fly?



To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message



More information about the trustedbsd-discuss mailing list