20 Questions # 5 update [PSARC/2009/179 FastTrack timeout 03/25/2009]

Gary Winiger gww at sac.sfbay.sun.com
Wed Mar 18 11:40:07 PDT 2009 

At PSARC business today, we discussed a change to question 8 to prompt
project teams to consider not only if they run in zones, but also if
they affect Branded zones.   Some of the motivation for adding
"Branded zones" came from a question from the security group as to how
to cover taking into account Trusted Extensions (TX).

It was suggested that something also be added to the security question #5.
I've created this case to capture my initial proposals and any conversation.

I'd like to receive input in a bounded time, so I've set a timer for
25 Mar, 2009.

Thanks,
Gary..

===============================================================================
Proposal 1:

 5.  Projects need to be aware of the overall security of the system and how
     their components affect it. Which parts of this project are critical to
     the security of the system to avoid such unintended consequences such
     as unauthorized system entry, unauthorized access to or modification of
     data, elevation of privilege, denial of service, ...? Does this project
-    require elevated privilege?
+    require elevated privilege?  Does the project interact with or affect
+    Solaris Trusted Extensions (TX)?
     
     A number of specific policies and practices address various aspects of
     the security of the system. They are found in appendix 1. Which of
     these are applicable to this project, and how are they addressed?

Proposal 2:

 5.  Projects need to be aware of the overall security of the system and how
     their components affect it. Which parts of this project are critical to
     the security of the system to avoid such unintended consequences such
     as unauthorized system entry, unauthorized access to or modification of
-    data, elevation of privilege, denial of service, ...? Does this project
+    data, elevation of privilege, denial of service, violation of labeled
+    security, ...? Does this project
     require elevated privilege?
     
     A number of specific policies and practices address various aspects of
     the security of the system. They are found in appendix 1. Which of
     these are applicable to this project, and how are they addressed?

More information about the opensolaris-arc mailing list