[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole
Stephen Smalley
sds at tycho.nsa.gov
Thu Oct 19 14:32:35 UTC 2006
On Thu, 2006-10-19 at 10:06 -0400, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> > pam_selinux used to have support to let the user pick from the list of
> > reachable contexts for the user. So you could just restore that
> > support.
> >
> I don't think so. This allowed you to select your TE role, not your
> Sensitivity. The problem is selecting your sensivity. Since there is
> an large number of sensitivities a user can log in as he will need to
> key it in.
Ah, I was thinking of the old MLS implementation, pre-TCS. Fair point.
> > That doesn't address sshd though. Or gdm. sshd shouldn't be too
> > difficult. There were some externally developed gdm patches for selinux
> > that enabled context selection long ago, but nothing recent
> > (pre-Fedora).
> >
> I though the sshd would happen automatically when you login via a secure
> channel. IE If I connect at TopSecret, I get TopSecret.
Only if running it via the modified xinetd and only if using labeled
networking. Otherwise, you still need a way for users to select a level
for their session.
> I think gdm will require other features such that I launch terminals at
> different sensitivity levels???
Well, doing that right requires security enhanced X, a modified window
manager, and a trusted path, so that won't be happening today.
> I think we should separate the TE Context selection from the Sensitivity
> Selection, in order to satisfy the MLS problems.
Ok.
> > You don't need to remove -l from newrole; you can just constrain its use
> > via DAC and via SELinux policy, as Klaus has previously suggested.
> >
> >
> So it will not work on ptys? Or are you thinking a boolean? I think it
> will be strange for a user to have the app work differently depending on
> how they logged in, but I guess this is another short coming of MLS.
It would be restricted via DAC mode and possibly a boolean in policy,
such that an admin could allow use of it if desired. Only the LSPP
config would need to lock it down.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list