[redhat-lspp] LSPP Development Telecon 01/15/2007 Minutes

Stephen Smalley sds at tycho.nsa.gov
Fri Jan 19 18:33:46 UTC 2007 

On Thu, 2007-01-18 at 17:07 -0600, Klaus Weidner wrote:
> On Tue, Jan 16, 2007 at 03:37:28PM -0500, Linda Knippers wrote:
> > I'm reading the discussion about xinetd and changing the default level
> > for regular users.  What isn't clear from the discussion is what the
> > actual problem is that we'd be working around.
> > 
> > There seems to be an issue with xinetd and ssh in the unlabeled
> > networking case.  Sounds like xinetd gets confused with the context?
> > Is the suggestion to have xinetd default to some level above systemlow,
> > which would be the same default level for normal users?  Sounds
> > reasonable that the two would have the same default but I don't
> > understand why it matters what the specific level is.  Is that
> > related to the mail from Casey, Joe and others about the default
> > level for existing MLS operating systems or is there a technical
> > issue with default level for regular users the way it is?
> 
> The current problem is that the new ssh level selection code allows users
> to select levels even if labeled networking is active when using the
> standalone sshd.
> 
> Users can only connect to sshd when their level is "SystemLow", in other
> cases the MLS constraints will deny the TCP connection before sshd gets
> it. But if a user is running at SystemLow, he can use "ssh
> username/user_r/Secret at localhost" to get a shell running at "Secret"
> level (assuming he's cleared for that), and the information will travel
> over a network connection labeled SystemLow which isn't supposed to be
> permitted.
> 
> The sshd-via-xinetd approach which was designed for use with labeled
> networking doesn't have that problem, so shutting down standalone sshd
> when labeled networking is active would solve this issue.
> 
> The reason for proposing a non-SystemLow default lower level for nonadmin
> users is to provide additional protection; currently "Unclassified" is
> mapped to "s1" while "SystemLow" is "s0", so an "Unclassified" user would
> not be permitted to connect to a standalone sshd running at SystemLow
> when labeled networking is active.

Changing the default user level would have implications for file
labeling too - you'd have to decide what files to leave in s0 and which
ones to move up to s1 (obviously the user home directories, but it would
involve more than that), and then work through what programs suddenly
need MLS overrides to continue working as expected (if they happen to
modify any of the system files you left in s0).

-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list