[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [redhat-lspp] Getting rid of multilevel objects

From: LC Bruzenak <lenny bruzenak com>
To: Klaus Weidner <klaus atsec com>
Cc: lspp-list <redhat-lspp redhat com>
Subject: Re: [redhat-lspp] Getting rid of multilevel objects
Date: Mon, 10 Jul 2006 15:27:44 -0500

On Mon, 2006-07-10 at 14:56 -0500, Klaus Weidner wrote:
...
> 
> It should be ok to use newrole on a local or serial console where the
> entire communication chain to the user can be relabeled sanely, but ssh
> logins should force the session to run at the label of the incoming
> network connection.
> 
> -Klaus
> 
> --

Would that hinder a remote administration scenario where the ssh login
occurs on a network with a default level which is below the high-water
mark of the system labels but greater that the low level?

We'd like the incoming ssh account to be a non-administrative role, then
have them su/newrole to an administrative role.

Do you see any issues with this?

LCB.

-- 
LC Bruzenak
lenny bruzenak com

Follow-Ups:
- Re: [redhat-lspp] Getting rid of multilevel objects
  - From: Casey Schaufler

References:
- Re: [redhat-lspp] Getting rid of multilevel objects
  - From: LC Bruzenak
- Re: [redhat-lspp] Getting rid of multilevel objects
  - From: Casey Schaufler
- Re: [redhat-lspp] Getting rid of multilevel objects
  - From: Klaus Weidner

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]