On Thu, 2009-04-09 at 17:38 -0700, Brian Ginn wrote: > I am using RHEL5 with SELINUXTYPE=targeted in enforcing mode. > > If I ssh as root to that host, id -Z reports > root:system_r:unconfined_t:SystemLow-SystemHigh > which includes a level. > > If I ssh as a user to that same host, id -Z reports > user_u:system_r:unconfined_t > which does not include a level. > > As that user, If I su -, id -z reports > user_u:system_r:unconfined_t > > If I then execute: > newrole -l SystemLow-SystemHigh > I get an error: > Error: you are not allowed to change levels on a non secure terminal > > I get the same behavior from sudo bash. > > > Questions: > 1: Does root's SystemLow-SystemHigh level actually mean anything in targeted mode? Search for "Multi-Category Security" aka MCS. Not to be confused with MLS. > 2: Why does newrole consider the ssh terminal insecure, when ssh as root will give me the "full level"? The newrole non-secure terminal issue has to do with switching levels when using a pty - newrole can only relabel one end of the pty, but other end remains unchanged, thereby allowing downgrading of data. You can allow it by adding the type of your pty (e.g. unconfined_devpts_t or whatever you see as the type field of ls -Z `tty`) to /etc/selinux/targeted/contexts/securetty_types. > 3: Is there a way to get from not having a level to SystemLow-SystemHigh? First you have to authorize the user for a non-trivial range, using semanage or system-config-selinux. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
