[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole
Daniel J Walsh
dwalsh at redhat.com
Thu Oct 19 14:06:57 UTC 2006
Stephen Smalley wrote:
> On Thu, 2006-10-19 at 09:21 -0400, Daniel J Walsh wrote:
>
>> So one proposed solution to this is to take away the newrole -l
>> functionality all together and to add Sensitivity selection to the local
>> login.
>>
>> We can implement pam_selinux to ask for the sensitivity level
>>
>>
>> username: dwalsh
>> passwd: ********
>> Sensitivity: SystemLow
>>
>> If we then remove -l from newrole we are done?
>>
>
> pam_selinux used to have support to let the user pick from the list of
> reachable contexts for the user. So you could just restore that
> support.
>
I don't think so. This allowed you to select your TE role, not your
Sensitivity. The problem is selecting your sensivity. Since there is
an large number of sensitivities a user can log in as he will need to
key it in.
> That doesn't address sshd though. Or gdm. sshd shouldn't be too
> difficult. There were some externally developed gdm patches for selinux
> that enabled context selection long ago, but nothing recent
> (pre-Fedora).
>
I though the sshd would happen automatically when you login via a secure
channel. IE If I connect at TopSecret, I get TopSecret.
I think gdm will require other features such that I launch terminals at
different sensitivity levels???
I think we should separate the TE Context selection from the Sensitivity
Selection, in order to satisfy the MLS problems.
> You don't need to remove -l from newrole; you can just constrain its use
> via DAC and via SELinux policy, as Klaus has previously suggested.
>
>
So it will not work on ptys? Or are you thinking a boolean? I think it
will be strange for a user to have the app work differently depending on
how they logged in, but I guess this is another short coming of MLS.
More information about the redhat-lspp
mailing list