levels in targeted mode

Brian Ginn BGinn at symark.com
Tue Apr 14 23:19:52 UTC 2009 

Thanks for the answers!  They bring up more questions for me, though.

As a user_u, with a non-secure tty, after 'su -', it makes some sense that newrole won't let me change the level.

>From that same non-secure terminal, however, I can ssh root at localhost and get all the access I want.

For both of those examples, I used ssh to get to the host, and both ptys have the type devpts_t, so I am not sure why one is considered more secure than the other.

I can envision that for many installations, making some pty types secure via /etc/selinux/targeted/contexts/securetty_types is an acceptable practice - even desired.

>From a more paranoid security viewpoint, wouldn't there be some installations where any non-secure terminal should be prohibited from gaining access to the sensitive data?
So, I am wondering 
1) From that same non-secure terminal, should 'ssh root at localhost' be allowed to get a terminal that is considered secure? 
2) Should a terminal from any non-SELinux host be considered non-secure and be prevented from accessing sensitive data?


Thanks,
Brian




-----Original Message-----
From: Stephen Smalley [mailto:sds at tycho.nsa.gov] 
Sent: Friday, April 10, 2009 6:23 AM
To: Brian Ginn
Cc: 'fedora-selinux-list at redhat.com'
Subject: Re: levels in targeted mode

On Thu, 2009-04-09 at 17:38 -0700, Brian Ginn wrote:
> I am using RHEL5 with SELINUXTYPE=targeted in enforcing mode.
> 
> If I ssh as root to that host, id -Z reports
>         root:system_r:unconfined_t:SystemLow-SystemHigh
> which includes a level.
> 
> If I ssh as a user to that same host, id -Z reports
>         user_u:system_r:unconfined_t
> which does not include a level.
> 
> As that user, If I su -, id -z reports
>         user_u:system_r:unconfined_t
> 
> If I then execute:
>         newrole -l SystemLow-SystemHigh
> I get an error:
>         Error: you are not allowed to change levels on a non secure terminal
> 
> I get the same behavior from sudo bash.
> 
> 
> Questions:
> 1: Does root's SystemLow-SystemHigh level actually mean anything in targeted mode?

Search for "Multi-Category Security" aka MCS.  Not to be confused with
MLS.

> 2: Why does newrole consider the ssh terminal insecure, when ssh as root will give me the "full level"?

The newrole non-secure terminal issue has to do with switching levels
when using a pty - newrole can only relabel one end of the pty, but
other end remains unchanged, thereby allowing downgrading of data.  You
can allow it by adding the type of your pty (e.g. unconfined_devpts_t or
whatever you see as the type field of ls -Z `tty`)
to /etc/selinux/targeted/contexts/securetty_types.

> 3: Is there a way to get from not having a level to SystemLow-SystemHigh?

First you have to authorize the user for a non-trivial range, using
semanage or system-config-selinux.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list