[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole
James Antill
james.antill at redhat.com
Wed Oct 25 13:50:51 UTC 2006
On Wed, 2006-10-25 at 08:22 -0400, Stephen Smalley wrote:
> To elaborate, as I understood it, seusers (managed via semanage login)
> was to provide per-Linux-user authorizations for MLS/MCS ranges, while
> multiple such Linux users might be mapped to a single SELinux user that
> was authorized for the full system range. The login-style programs
> would then ensure that the range in the initial security context for the
> Linux user's session was limited by the value defined in seusers, and
> SELinux policy would subsequently ensure that processes in that session
> can not escalate outside of that range via newrole -l (or other
> mechanism).
My understanding is that while security_check_context() allows it, the
setexeccon() will fail. Which seemed to be good enough.
> It isn't sufficient to check the validity of the context with the
> user-supplied level, because from the kernel's POV, any level might be
> authorized for the underlying SELinux user identity, whereas seusers
> might have defined a more restricted range for the Linux user identity.
> You need a check between the user-supplied level and the seusers-defined
> value (more generally, this could be an avc_has_perm or
> security_compute_av check between contexts containing those levels, and
> the underlying policy could define a mlsconstrain on the corresponding
> permission).
--
James Antill - <james.antill at redhat.com>
setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...);
setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...);
setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, ...);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061025/67f8fbb6/attachment.sig>
More information about the redhat-lspp
mailing list