[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole
Daniel J Walsh
dwalsh at redhat.com
Thu Oct 26 14:09:48 UTC 2006
Stephen Smalley wrote:
> On Wed, 2006-10-25 at 15:15 -0400, James Antill wrote:
>
>> On Wed, 2006-10-25 at 09:59 -0400, Stephen Smalley wrote:
>>
>>> On Wed, 2006-10-25 at 09:50 -0400, James Antill wrote:
>>>
>>>> My understanding is that while security_check_context() allows it, the
>>>> setexeccon() will fail. Which seemed to be good enough.
>>>>
>>> No, it won't. Suppose that I have two Linux users A and B, with A
>>> authorized for category c0 and B authorized for category c2 in seusers,
>>> but both A and B are mapped to SELinux user U who is authorized for all
>>> categories in the kernel policy. The login-style programs are naturally
>>> going to be authorized to transition to any of those contexts since they
>>> have to deal with user logins at any level, so the setexeccon() will
>>> succeed. The SELinux security context will have U as the user identity,
>>> so it will always be valid. You need an explicit check.
>>>
>> Ok, I had assumed that "U" would always be different in this case.
>>
>
> BTW, using different SELinux user identities (U) was the approach before
> seusers came into being, but the point of seusers was to avoid having to
> rebuild the kernel policy every time you wanted to add, remove, or
> change a Linux user's authorized range. Thus, the per-Linux-user
> restriction is specified in seusers and enforced by the login-style
> programs (and then subsequently bounded for the session based on the
> high/clearance level).
>
I think the same check should be added to the cron patch also.
More information about the redhat-lspp
mailing list