[redhat-lspp] Getting rid of multilevel objects
Klaus Weidner
klaus at atsec.com
Fri Jul 7 20:55:37 UTC 2006
On Fri, Jul 07, 2006 at 12:48:40PM -0700, Casey Schaufler wrote:
> --- Klaus Weidner <klaus at atsec.com> wrote:
> > - on the slave end, spawn newrole to switch to a high level, send
> > your password through the pty.
>
> The newrole analog on one Unix MLS system, "su -M <maclabel>" closes
> all open descriptors to prevent such a problem.
>
> The problem here is not with the pty, rather with newrole, which
> oughtn't keep descriptors open if it is changing MLS label.
In this case, the descriptor is the standard input and output stream that
newrole uses for interaction, including reading its password, and closing
that will make it stop working since the system doesn't have a trusted
input/output path (which is a separate problem). newrole can't tell the
difference between a legitimate pty use from ssh or in an xterm versus
the unauthorized use, and it would be a very significant restriction to
permit only console access for newrole use.
Would it work to have newrole relabel the pty (maybe in a PAM session
module?), so that the controlling low process won't be able to read from
it?
-Klaus
More information about the redhat-lspp
mailing list