levels in targeted mode

[Stephen Smalley]

On Thu, 2009-04-09 at 17:38 -0700, Brian Ginn wrote:
> I am using RHEL5 with SELINUXTYPE=targeted in enforcing mode.
> 
> If I ssh as root to that host, id -Z reports
>         root:system_r:unconfined_t:SystemLow-SystemHigh
> which includes a level.
> 
> If I ssh as a user to that same host, id -Z reports
>         user_u:system_r:unconfined_t
> which does not include a level.
> 
> As that user, If I su -, id -z reports
>         user_u:system_r:unconfined_t
> 
> If I then execute:
>         newrole -l SystemLow-SystemHigh
> I get an error:
>         Error: you are not allowed to change levels on a non secure terminal
> 
> I get the same behavior from sudo bash.
> 
> 
> Questions:
> 1: Does root's SystemLow-SystemHigh level actually mean anything in targeted mode?

Search for "Multi-Category Security" aka MCS.  Not to be confused with
MLS.

> 2: Why does newrole consider the ssh terminal insecure, when ssh as root will give me the "full level"?

The newrole non-secure terminal issue has to do with switching levels
when using a pty - newrole can only relabel one end of the pty, but
other end remains unchanged, thereby allowing downgrading of data.  You
can allow it by adding the type of your pty (e.g. unconfined_devpts_t or
whatever you see as the type field of ls -Z `tty`)
to /etc/selinux/targeted/contexts/securetty_types.

> 3: Is there a way to get from not having a level to SystemLow-SystemHigh?

First you have to authorize the user for a non-trivial range, using
semanage or system-config-selinux.

-- 
Stephen Smalley
National Security Agency