[redhat-lspp] LSPP Development Telecon 01/15/2007 Minutes
Klaus Weidner
klaus at atsec.com
Thu Jan 18 23:07:29 UTC 2007
On Tue, Jan 16, 2007 at 03:37:28PM -0500, Linda Knippers wrote:
> I'm reading the discussion about xinetd and changing the default level
> for regular users. What isn't clear from the discussion is what the
> actual problem is that we'd be working around.
>
> There seems to be an issue with xinetd and ssh in the unlabeled
> networking case. Sounds like xinetd gets confused with the context?
> Is the suggestion to have xinetd default to some level above systemlow,
> which would be the same default level for normal users? Sounds
> reasonable that the two would have the same default but I don't
> understand why it matters what the specific level is. Is that
> related to the mail from Casey, Joe and others about the default
> level for existing MLS operating systems or is there a technical
> issue with default level for regular users the way it is?
The current problem is that the new ssh level selection code allows users
to select levels even if labeled networking is active when using the
standalone sshd.
Users can only connect to sshd when their level is "SystemLow", in other
cases the MLS constraints will deny the TCP connection before sshd gets
it. But if a user is running at SystemLow, he can use "ssh
username/user_r/Secret at localhost" to get a shell running at "Secret"
level (assuming he's cleared for that), and the information will travel
over a network connection labeled SystemLow which isn't supposed to be
permitted.
The sshd-via-xinetd approach which was designed for use with labeled
networking doesn't have that problem, so shutting down standalone sshd
when labeled networking is active would solve this issue.
The reason for proposing a non-SystemLow default lower level for nonadmin
users is to provide additional protection; currently "Unclassified" is
mapped to "s1" while "SystemLow" is "s0", so an "Unclassified" user would
not be permitted to connect to a standalone sshd running at SystemLow
when labeled networking is active.
-Klaus
More information about the redhat-lspp
mailing list