Re: missing avc message field names

On Tuesday 30 January 2007 10:48, Eamon Walsh <ewalsh(a)tycho.nsa.gov&gt; wrote: Yes, we need all that. There are some people interested in SE enhanced MUAs. One issue is that SE-X is required for full functionality in this regard (let's assume for the sake of discussion that almost everyone who matters uses a GUI MUA). Another issue is that the design of MUAs is tending towards greater integration with the desktop environment and larger more complex code bases. I'm thinking of starting to attack this by developing a password sequestration system for MUAs. The idea being that the MUA would run a SETGID program and request a POP connection, it would be returned a file handle for an authenticated connection but have no way of obtaining the password that was used. This will offer significant security benefits in a non-SE environment and even better protection with SE Linux. A compromised MUA would not be able to obtain a password list and send it to a hostile party (it would be able to proxy access to the POP server and to send copies of all stored messages). Given the incidence of passwords being used for multiple functions this would significantly mitigate the risks of MUA based attacks. The current situation is tending towards having an ever increasing amount of the practical system integrity dependant on the integrity of a single user account (in which all programs run with the same security context). Getting upstream support for labelled email is going to be very difficult with the current client side security situation. Now if we could just get web browsers to have their functionality split into multiple programs with different security contexts... -- russell(a)coker.com.au http://etbe.blogspot.com/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development