[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole
Stephen Smalley
sds at tycho.nsa.gov
Wed Oct 25 21:36:32 UTC 2006
On Wed, 2006-10-25 at 15:15 -0400, James Antill wrote:
> On Wed, 2006-10-25 at 09:59 -0400, Stephen Smalley wrote:
> > On Wed, 2006-10-25 at 09:50 -0400, James Antill wrote:
> > > My understanding is that while security_check_context() allows it, the
> > > setexeccon() will fail. Which seemed to be good enough.
> >
> > No, it won't. Suppose that I have two Linux users A and B, with A
> > authorized for category c0 and B authorized for category c2 in seusers,
> > but both A and B are mapped to SELinux user U who is authorized for all
> > categories in the kernel policy. The login-style programs are naturally
> > going to be authorized to transition to any of those contexts since they
> > have to deal with user logins at any level, so the setexeccon() will
> > succeed. The SELinux security context will have U as the user identity,
> > so it will always be valid. You need an explicit check.
>
> Ok, I had assumed that "U" would always be different in this case.
BTW, using different SELinux user identities (U) was the approach before
seusers came into being, but the point of seusers was to avoid having to
rebuild the kernel policy every time you wanted to add, remove, or
change a Linux user's authorized range. Thus, the per-Linux-user
restriction is specified in seusers and enforced by the login-style
programs (and then subsequently bounded for the session based on the
high/clearance level).
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list