[redhat-lspp] login restriction based on terminal range ..
JANAK DESAI
janak at us.ibm.com
Fri Jan 13 18:37:26 UTC 2006
Hello,
A few months back I had posed a question on how to prevent a
user from logging on to a terminal with a level that is outside the
terminal's sensitivity label range. Stephen suggested some
alternatives but I don't think we reached any conclusion on the
best way to achieve this. I am quoting below Stephen's email
with possible approaches. I would appreciate if you can share
your thoughts ...
-Janak
------------------------------------------------------------------------------
>On Thu, 2005-09-08 at 10:21 -0400, Janak Desai wrote
>> Yes, true. What I meant to say was, how will login handle
>> single level terminals or multilevel terminals with a range
>> of secret to top secret? How will a user cleared to top secret
>> be prevented from loggin in at unclassified on a terminal
>> marked "secret to top secret"? Does get_ordered_context_list
>> take login terminal into account? Similar situations apply
>> to printing on multilevel print device or backing up to
>> multilevel tape device, right? Maybe I am still stuck on
>> my SecureWare B1 way of thinking.
>
>get_ordered_context_list/get_default_context doesn't take the terminal
>into account per se, although it does take the context of the calling
>process into account (the fromcon, which defaults to the result of a
>getcon(3) if left NULL). Hence, you could run different login processes
>with different ranges, although setup might be a pain.
>
>Another option would be to amend the mls_compute_sid logic so that it
>will fail if the process level falls outside of the original tty range.
>At present, it doesn't take the original tty context into account at
>all; it just sets the level in the returned context to the process
>level, so that login et al relabel the tty to the same level as the user
>session without considering the original level/range on the tty.
>
>Or you could try to catch it upon the actual relabel (setfilecon)
>operation by login et al, by defining a mlsvalidatetrans constraint that
>prohibits the tty from being relabeled outside of its original range.
>Although I'm not sure how you would then deal with the need to restore
>it upon session close.
>
>--
>Stephen Smalley
>National Security Agency
>
More information about the redhat-lspp
mailing list