[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole

[Casey Schaufler]

--- Daniel J Walsh <dwalsh at redhat.com> wrote:

> ...  Since there is 
> an large number of sensitivities a user can log in
> as he will need to 
> key it in.

Existing systems allow the user a default MLS
value that is used (on a terminal) if none is
specified (e.g. just hit ENTER at the label
prompt).


> I though the sshd would happen automatically when
> you login via a secure 
> channel.  IE If I connect at TopSecret, I get
> TopSecret.

This is the usual behavior, but we're talking
about real deployments here, so there will
always be someone who wants (and is unwilling
to use/buy a system that won't allow her) to
long in at multiple labels across a single
level network. For your system to be popular
you need to provide the facility. Just consider
the admin who wants to log in at SystemHigh
to fix the broken network.

> I think gdm will require other features such that I
> launch terminals at 
> different sensitivity levels???
> 
> I think we should separate the TE Context selection
> from the Sensitivity 
> Selection, in order to satisfy the MLS problems.

>From the standpoint of someone who likes MLS
better than TE, I agree, but from the standpoint
of someone who hates to see mixed metaphores
I disagree.


> So it will not work on ptys?  Or are you thinking a
> boolean? I think it 
> will be strange for a user to have the app work
> differently depending on 
> how they logged in, but I guess this is another
> short coming of MLS.

I don't get how this is a shortcoming of MLS.


Casey Schaufler
casey at schaufler-ca.com