[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole

[Casey Schaufler]

--- Klaus Weidner <klaus at atsec.com> wrote:


> I don't think that it's a significant issue though
> for current LSPP
> configurations - any people who plan to use this
> please speak up if you
> disagree.  The current LSPP configurations are for
> server systems,

A common deployment of an MLS system is the
the enormous compute "server", where users
log in at various MLS values to process
data, some of which is common, and some of
which is not. Usually this means a network
login, today typically using ssh. Rarely
will a user need to log in at more than one
MLS value, but it can (and has) happened
that a user will have multiple valid MLS
values. In some installations they will want
to allow this over "unlabeled networks",
and in some they will not.

> and
> require that local consoles (including serial
> consoles listed in
> /etc/securetty) are physically restricted to be
> accessible by admins
> only, and admins can still use newrole. This leaves
> only non-admin serial
> terminals, and I don't think those are that common
> these days.

Indeed!

> Of course, people deploying a system that's based on
> the LSPP
> configuration can choose to deviate from the
> evaluated configuration
> based on their own risk assessment. This could
> include restoring general
> access to "newrole" if they don't consider the PTY
> exploit to be a
> concern.

It might be best if you don't say that out loud.


Casey Schaufler
casey at schaufler-ca.com