[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole

[Daniel J Walsh]

Stephen Smalley wrote:
> On Wed, 2006-10-25 at 15:15 -0400, James Antill wrote:
>   
>> On Wed, 2006-10-25 at 09:59 -0400, Stephen Smalley wrote:
>>     
>>> On Wed, 2006-10-25 at 09:50 -0400, James Antill wrote:
>>>       
>>>>  My understanding is that while security_check_context() allows it, the
>>>> setexeccon() will fail. Which seemed to be good enough.
>>>>         
>>> No, it won't.  Suppose that I have two Linux users A and B, with A
>>> authorized for category c0 and B authorized for category c2 in seusers,
>>> but both A and B are mapped to SELinux user U who is authorized for all
>>> categories in the kernel policy.  The login-style programs are naturally
>>> going to be authorized to transition to any of those contexts since they
>>> have to deal with user logins at any level, so the setexeccon() will
>>> succeed.  The SELinux security context will have U as the user identity,
>>> so it will always be valid.  You need an explicit check.
>>>       
>>  Ok, I had assumed that "U" would always be different in this case.
>>     
>
> BTW, using different SELinux user identities (U) was the approach before
> seusers came into being, but the point of seusers was to avoid having to
> rebuild the kernel policy every time you wanted to add, remove, or
> change a Linux user's authorized range.  Thus, the per-Linux-user
> restriction is specified in seusers and enforced by the login-style
> programs (and then subsequently bounded for the session based on the
> high/clearance level).
>   

I think the same check should be added to the cron patch also.