[redhat-lspp] Getting rid of multilevel objects

[Casey Schaufler]

--- LC Bruzenak <lenny at bruzenak.com> wrote:

> Would that hinder a remote administration scenario
> where the ssh login
> occurs on a network with a default level which is
> below the high-water
> mark of the system labels but greater that the low
> level?
> 
> We'd like the incoming ssh account to be a
> non-administrative role, then
> have them su/newrole to an administrative role.
> 
> Do you see any issues with this?

If there's an MLS label change you're
in trouble.

You could argue that the administrative
facilities are composed of programs that
can be held responsible for policy
enforcement and that they can't do
anything wrong. This would be really
pushing the credibility envelope however,
and is an argument with a history of
failure. You might get away with it
if the new role's shell is restricted,
in fact, this is a situation where
SELinux could provide significant
leverage should you be able to describe
the environment provided in terms of
enforcement domains.


Casey Schaufler
casey at schaufler-ca.com