[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole
Casey Schaufler
casey at schaufler-ca.com
Thu Oct 12 15:37:01 UTC 2006
--- Russell Coker <russell at coker.com.au> wrote:
> On Thursday 12 October 2006 17:33, Klaus Weidner
> <klaus at atsec.com> wrote:
> > If you need local console (or serial) login at
> different MLS levels for
> > the same user, you can create multiple Linux users
> for each human user
> > that share the same uid and home directory, and
> use "semanage login" to
> > map them to appropriate levels. So you'd have
> smith_secret_cat1,
> > smith_unclassified and so on.
The Unix MLS systems provide mechanism
in login to specify MAC the user label.
In Trix 6 I would use:
login: casey MAC=appropriatevalue
passwd: ....
In Trix 4 it was:
login: casey
label: appropriatevalue
passwd: ...
In Solaris I *think* it would be:
login: casey -l appropriatevalue
passwd: ...
but rust could well have filled that part
of my memory.
Creating a seperate login name for each MLS
value would be fine if you have a small number
of users with a small number of labels, but
will not be competitive in a production
environment.
> That doesn't work well with password expiry
> policies. Having
> smith_secret_cat1 password expire at different times
> to smith_unclassified
> would be a pain for users and sys-admins.
That too.
> Then if you want to use RSA SecurID or similar
> tokens you have an extra level
> of pain in mapping them to the right Unix account
> names.
>
> I think that the right solution is to re-enable the
> code for selecting the
> role etc at login time and adding some code for
> selecting the level. It
> should not be difficult to do this if there are no
> plans to ever support it
> for ssh or X logins.
>
> > It should still work to put a multilevel X desktop
> on top of this, since
> > that presumably uses a mechanism other than
> "newrole" to launch terminals
> > or windows at different levels. But that's only
> guesswork due to not
> > having seen any code for this...
>
> Can someone who has worked on one of these things
> before please comment on how
> it's done?
Hee Hee Hee. On Trix you get a new window at
a different label using su -M:
trix% su -M moresecret -c xterm &
trix% su -M evenmoresecret -c xclock &
This works because "su -M" closes all open
fds, reopening std{in,out,err} on /dev/null,
and the X server is MLS aware, accepting
connections with any label the user is cleared
for and enforcing policy on the objects it
controls. The X server uses TSIG interfaces
to obtain MLS information about the far end
of the connections ...
> It seems to me that the current way of managing
> desktops isn't going to work
> (IE Gnome and KDE won't work).
... and the window manager is also MLS aware.
Casey Schaufler
casey at schaufler-ca.com
More information about the redhat-lspp
mailing list