Re: SELinux: Proof of tty

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/30/2011 07:20 PM, Jitesh Shah wrote:
> Hello list, For one of my projects, I am trying to learn the
> internals of SELinux. To start with, I am trying to build a
> minimalistic system where each domain is confined in its own domain
> (With Fedora's targeted policy as a base). One of my aims is to
> remove the unconfined domain totally.
> 
> It would be wishful to assume that one would never need the
> unconfined domain. So, I was hoping one could create a new Linux
> user (say, God) which maps to SELinux unconfined user. One can sudo
> to this user, but ONLY WITH A PROOF OF TTY (physical presence).
> 
> Now, I understand all the other parts except the last part. How do
> I ask SELinux to check for a tty?
> 
> I did google and stumbled upon Daniel Walsh's blog [1]. It says in
> one of the paragraphs: "SELinux can be configured to not allow
> unconfined logins via OpenSSH or Grapical User Interface. This
> means that users that have access to the unconfineduser domain can
> only login using this environment on the TTY or access the
> unconfined user space via the sudo command or SU with newrole
> command."
> 
> This post seems to imply that an SELinux change can affect that as 
> against an OpenSSH configuration change that explicitly disallows
> root login. That is hopeful. The post also goes on to give an
> example of how it might be done:
> 
> sudo visudo (john ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r
> ALL)
> 
> So, if someone knows "john"'s password, they can switch to the 
> unconfined domain. But, how to add an additional constraint that
> also says that physical presence is necessary to grant this
> access?
> 
> Thanks in advance, Jitesh
> 
> 
> [1]
> http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-eight-unconfined.html

I
> 
would probably hack up sudo to run a shell that checks to make sure
the user is local, I guess on a /dev/tty rather then on a pseudo tty.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7XkCcACgkQrlYvE4MpobMLkwCfSH9NYYgz+bqYugShNNIzFR5w
TCUAn1lKYMo6PIwreDxB/bT/NJJT8715
=w81w
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux