[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole
Russell Coker
russell at coker.com.au
Thu Oct 12 10:25:12 UTC 2006
On Thursday 12 October 2006 17:33, Klaus Weidner <klaus at atsec.com> wrote:
> If you need local console (or serial) login at different MLS levels for
> the same user, you can create multiple Linux users for each human user
> that share the same uid and home directory, and use "semanage login" to
> map them to appropriate levels. So you'd have smith_secret_cat1,
> smith_unclassified and so on.
That doesn't work well with password expiry policies. Having
smith_secret_cat1 password expire at different times to smith_unclassified
would be a pain for users and sys-admins.
Then if you want to use RSA SecurID or similar tokens you have an extra level
of pain in mapping them to the right Unix account names.
I think that the right solution is to re-enable the code for selecting the
role etc at login time and adding some code for selecting the level. It
should not be difficult to do this if there are no plans to ever support it
for ssh or X logins.
> It should still work to put a multilevel X desktop on top of this, since
> that presumably uses a mechanism other than "newrole" to launch terminals
> or windows at different levels. But that's only guesswork due to not
> having seen any code for this...
Can someone who has worked on one of these things before please comment on how
it's done?
It seems to me that the current way of managing desktops isn't going to work
(IE Gnome and KDE won't work).
Currently we have a desktop manager program that can launch an xterm (in the
same context) and then a shell (EG bash) is run in the same context as an
xterm. This means that if you run a hostile program in one xterm it can
ptrace or otherwise interfere with all processes back to the desktop and down
again to another xterm. I guess we need to have a trusted desktop manager (I
use the term loosely, such a program probably wouldn't have 10% the features
of anything we currently call a "desktop manager") that launches xterms in
different contexts depending on what they are doing and has the option of
launching an xterm that runs "newrole -l" (or maybe launches xterms at
different levels).
--
russell at coker.com.au
http://etbe.blogspot.com/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
More information about the redhat-lspp
mailing list