[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [redhat-lspp] Getting rid of multilevel objects
- From: Stephen Smalley <sds tycho nsa gov>
- To: Klaus Weidner <klaus atsec com>
- Cc: Casey Schaufler <casey schaufler-ca com>, Joe Nall <joe nall com>, Chad Hanson <chanson TrustedCS com>, "Knoke, Jim \(US SSA\)" <jim knoke baesystems com>, lspp-list <redhat-lspp redhat com>
- Subject: Re: [redhat-lspp] Getting rid of multilevel objects
- Date: Fri, 07 Jul 2006 16:47:46 -0400
On Fri, 2006-07-07 at 15:55 -0500, Klaus Weidner wrote:
> On Fri, Jul 07, 2006 at 12:48:40PM -0700, Casey Schaufler wrote:
> > --- Klaus Weidner <klaus atsec com> wrote:
> > > - on the slave end, spawn newrole to switch to a high level, send
> > > your password through the pty.
> >
> > The newrole analog on one Unix MLS system, "su -M <maclabel>" closes
> > all open descriptors to prevent such a problem.
> >
> > The problem here is not with the pty, rather with newrole, which
> > oughtn't keep descriptors open if it is changing MLS label.
>
> In this case, the descriptor is the standard input and output stream that
> newrole uses for interaction, including reading its password, and closing
> that will make it stop working since the system doesn't have a trusted
> input/output path (which is a separate problem). newrole can't tell the
> difference between a legitimate pty use from ssh or in an xterm versus
> the unauthorized use, and it would be a very significant restriction to
> permit only console access for newrole use.
>
> Would it work to have newrole relabel the pty (maybe in a PAM session
> module?), so that the controlling low process won't be able to read from
> it?
newrole already relabels the tty.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]