[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [redhat-lspp] Getting rid of multilevel objects
- From: LC Bruzenak <lenny bruzenak com>
- To: casey schaufler-ca com
- Cc: lspp-list <redhat-lspp redhat com>
- Subject: Re: [redhat-lspp] Getting rid of multilevel objects
- Date: Mon, 10 Jul 2006 16:27:03 -0500
On Mon, 2006-07-10 at 13:56 -0700, Casey Schaufler wrote:
>
> --- LC Bruzenak <lenny bruzenak com> wrote:
>
> > Would that hinder a remote administration scenario
> > where the ssh login
> > occurs on a network with a default level which is
> > below the high-water
> > mark of the system labels but greater that the low
> > level?
> >
> > We'd like the incoming ssh account to be a
> > non-administrative role, then
> > have them su/newrole to an administrative role.
> >
> > Do you see any issues with this?
>
> If there's an MLS label change you're
> in trouble.
Usually there is a MLS change or privilege or both involved.
>
> You could argue that the administrative
> facilities are composed of programs that
> can be held responsible for policy
> enforcement and that they can't do
> anything wrong. This would be really
> pushing the credibility envelope however,
> and is an argument with a history of
> failure.
True enough, however there is a precedent of trust acceptance already
there with all the Microsoft-based systems firmly in place. Regardless,
I agree it is a relatively weak assertion.
> You might get away with it
> if the new role's shell is restricted,
> in fact, this is a situation where
> SELinux could provide significant
> leverage should you be able to describe
> the environment provided in terms of
> enforcement domains.
>
That's what I was thinking, but doing admin "stuff" doesn't work well
restricted. I was looking toward audit improvement and better analysis
tools.
LCB.
--
LC Bruzenak
lenny bruzenak com
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]