[redhat-lspp] dev_allocator, udev and import/export requirements

Stephen Smalley sds at tycho.nsa.gov
Thu Sep 8 16:26:04 UTC 2005 

On Thu, 2005-09-08 at 11:49 -0400, Janak Desai wrote:
> Stephen Smalley wrote:
> > Another option would be to amend the mls_compute_sid logic so that it
> > will fail if the process level falls outside of the original tty range.
> > At present, it doesn't take the original tty context into account at
> > all; it just sets the level in the returned context to the process
> > level, so that login et al relabel the tty to the same level as the user
> > session without considering the original level/range on the tty.
> >
> 
> Please bear with me as I am still learning the magic that is the
> security server. So, if I understand correctly, with this change the
> security_compute_relabel from pam_selinux, which is called with the
> target of the tty context, will fail if the process falls outside the
> target (tty) range, right?

Yes.  Under the assumption that you initially label all ttys with their
maximal ranges in file_contexts.

>  If so, that would work. I guess we
> would have to check all the uses of security_compute_relabel but
> that is preferable than complicated setup or the trying to catch it
> at the actual relabel attempt described below.

Unclear.  Running each getty with a particular range has the benefit of
implicitly bounding the allowed user sessions on that tty without
requiring any trust in login/pam.  Also, note that current code in
pam_selinux and openssh-selinux.patch tries to proceed even if the tty
relabel fails, so you would have to change that behavior.  It only
considers a failure to set the exec context as fatal.  

> mls_compute_sid can take care of login and friends, and CUPS currently
> upgrades print data to the process label so checking device access
> against process label should be sufficient. What about backup devices
> and star?  For example, if tape device is marked single level top
> secret, then should a process at top secret be able to write an
> unclassified or secret file to a tape? If no, then I am not sure how
> star can prevent such a thing since a top secret process has write
> access to a top secret tape drive and read access to unclassified
> files.

Why would you want to prevent it?  Doesn't violate simple or *
properties.

-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list