[redhat-lspp] login restriction based on terminal range ..

Sat Jan 14 06:21:43 UTC 2006

JANAK DESAI wrote:
> Hello,
>
> A few months back I had posed a question on how to prevent a
> user from logging on to a terminal with a level that is outside the
> terminal's sensitivity label range. Stephen suggested some
> alternatives but I don't think we reached any conclusion on the
> best way to achieve this. I am quoting below Stephen's email
> with possible approaches. I would appreciate if you can share
> your thoughts ...
>
> -Janak
>
> ------------------------------------------------------------------------------ 
>
>
>> On Thu, 2005-09-08 at 10:21 -0400, Janak Desai wrote
>>> Yes, true. What I meant to say was, how will login handle
>>> single level terminals or multilevel terminals with a range
>>> of secret to top secret? How will a user cleared to top secret
>>> be prevented from loggin in at unclassified on a terminal
>>> marked "secret to top secret"? Does get_ordered_context_list
>>> take login terminal into account? Similar situations apply
>>> to printing on multilevel print device or backing up to
>>> multilevel tape device, right? Maybe I am still stuck on
>>> my SecureWare B1 way of thinking.
>>
>> get_ordered_context_list/get_default_context doesn't take the terminal
>> into account per se, although it does take the context of the calling
>> process into account (the fromcon, which defaults to the result of a
>> getcon(3) if left NULL).  Hence, you could run different login processes
>> with different ranges, although setup might be a pain.
>>
>> Another option would be to amend the mls_compute_sid logic so that it
>> will fail if the process level falls outside of the original tty range.
>> At present, it doesn't take the original tty context into account at
>> all; it just sets the level in the returned context to the process
>> level, so that login et al relabel the tty to the same level as the user
>> session without considering the original level/range on the tty.
>>
>> Or you could try to catch it upon the actual relabel (setfilecon)
>> operation by login et al, by defining a mlsvalidatetrans constraint that
>> prohibits the tty from being relabeled outside of its original range.
>> Although I'm not sure how you would then deal with the need to restore
>> it upon session close.
>>
We also heard about something similar to this from potential customers.  
We now have
get_ordered_context_list_with_level which pam_selinux passes the level 
that it retrieves from getseuserbyname.  We could either change pam or 
getseuserbyname to get the Minimum/Maximum settings for a terminal 
(Machine) and adjust the level appropriately.  How you determine the 
Minimum/Maximum and modify the level is another thing.


>> -- 
>> Stephen Smalley
>> National Security Agency
>>
>
> -- 
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp