[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole

Russell Coker russell at coker.com.au
Thu Oct 12 10:25:12 UTC 2006 

On Thursday 12 October 2006 17:33, Klaus Weidner <klaus at atsec.com> wrote:
> If you need local console (or serial) login at different MLS levels for
> the same user, you can create multiple Linux users for each human user
> that share the same uid and home directory, and use "semanage login" to
> map them to appropriate levels. So you'd have smith_secret_cat1,
> smith_unclassified and so on.

That doesn't work well with password expiry policies.  Having 
smith_secret_cat1 password expire at different times to smith_unclassified 
would be a pain for users and sys-admins.

Then if you want to use RSA SecurID or similar tokens you have an extra level 
of pain in mapping them to the right Unix account names.

I think that the right solution is to re-enable the code for selecting the 
role etc at login time and adding some code for selecting the level.  It 
should not be difficult to do this if there are no plans to ever support it 
for ssh or X logins.

> It should still work to put a multilevel X desktop on top of this, since
> that presumably uses a mechanism other than "newrole" to launch terminals
> or windows at different levels. But that's only guesswork due to not
> having seen any code for this...

Can someone who has worked on one of these things before please comment on how 
it's done?

It seems to me that the current way of managing desktops isn't going to work 
(IE Gnome and KDE won't work).

Currently we have a desktop manager program that can launch an xterm (in the 
same context) and then a shell (EG bash) is run in the same context as an 
xterm.  This means that if you run a hostile program in one xterm it can 
ptrace or otherwise interfere with all processes back to the desktop and down 
again to another xterm.  I guess we need to have a trusted desktop manager (I 
use the term loosely, such a program probably wouldn't have 10% the features 
of anything we currently call a "desktop manager") that launches xterms in 
different contexts depending on what they are doing and has the option of 
launching an xterm that runs "newrole -l" (or maybe launches xterms at 
different levels).

-- 
russell at coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

More information about the redhat-lspp mailing list