[redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole
Stephen Smalley
sds at tycho.nsa.gov
Tue Oct 31 15:11:35 UTC 2006
On Tue, 2006-10-31 at 10:00 -0500, James Antill wrote:
> On Tue, 2006-10-31 at 09:24 -0500, Stephen Smalley wrote:
> > On Tue, 2006-10-31 at 09:23 -0500, Stephen Smalley wrote:
> > >
> > > In addition to the permission name, I'd have expected the rule (and the
> > > check in the code) to always use the same type in both contexts, so the
> > > rules could just be:
> > > allow $1 self:context <permissionname>;
> > >
> > > Not allow $1 domain:context, which will yield many more rules without
> > > any real justification.
>
> Ok, I can fix that to be just self:context.
>
> > I'm also unclear as to what you are checking - you seem to be putting
> > this in authlogin, but I had expected this to be a check between two
> > user contexts, identical in all respects except for the MLS ranges (one
> > from seusers, one from the user-supplied input).
>
> AIUI the code in authlogin allows all of the login type programs (like
> getty) to call the check. The check being performed is in policy/mls and
> is just:
>
> mlsconstrain context transition
> ( h1 dom h2 );
>
> ...have I misunderstood this?
As I understood it (and the code in pam seems to match this), you were
going to generate two security contexts for the user session, one based
on seusers and one based on the provided range, otherwise identical in
all respects, and apply a permission check between those two contexts.
So for example, if my seusers-defined default context would be
staff_u:staff_r:staff_t:s0-s0:c0.c255 and I entered a level of s0:c3 as
input, there would be a permission check made by pam_selinux between
staff_u:staff_r:staff_t:s0-s0:c0.c255 and staff_u:staff_r:staff_t:s0:c3.
Thus, the TE rule would have to be between staff_t and itself (i.e. the
user domains), not between local_login_t and anything.
We aren't checking whether login can do anything (or using its context
anywhere); we are checking whether the seusers-defined default context
for the user contains the user-supplied context.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list