Thanks for the answers! They bring up more questions for me, though. As a user_u, with a non-secure tty, after 'su -', it makes some sense that newrole won't let me change the level. >From that same non-secure terminal, however, I can ssh root@localhost and get all the access I want. For both of those examples, I used ssh to get to the host, and both ptys have the type devpts_t, so I am not sure why one is considered more secure than the other. I can envision that for many installations, making some pty types secure via /etc/selinux/targeted/contexts/securetty_types is an acceptable practice - even desired. >From a more paranoid security viewpoint, wouldn't there be some installations where any non-secure terminal should be prohibited from gaining access to the sensitive data? So, I am wondering 1) From that same non-secure terminal, should 'ssh root@localhost' be allowed to get a terminal that is considered secure? 2) Should a terminal from any non-SELinux host be considered non-secure and be prevented from accessing sensitive data? Thanks, Brian -----Original Message----- From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] Sent: Friday, April 10, 2009 6:23 AM To: Brian Ginn Cc: 'fedora-selinux-list@xxxxxxxxxx' Subject: Re: levels in targeted mode On Thu, 2009-04-09 at 17:38 -0700, Brian Ginn wrote: > I am using RHEL5 with SELINUXTYPE=targeted in enforcing mode. > > If I ssh as root to that host, id -Z reports > root:system_r:unconfined_t:SystemLow-SystemHigh > which includes a level. > > If I ssh as a user to that same host, id -Z reports > user_u:system_r:unconfined_t > which does not include a level. > > As that user, If I su -, id -z reports > user_u:system_r:unconfined_t > > If I then execute: > newrole -l SystemLow-SystemHigh > I get an error: > Error: you are not allowed to change levels on a non secure terminal > > I get the same behavior from sudo bash. > > > Questions: > 1: Does root's SystemLow-SystemHigh level actually mean anything in targeted mode? Search for "Multi-Category Security" aka MCS. Not to be confused with MLS. > 2: Why does newrole consider the ssh terminal insecure, when ssh as root will give me the "full level"? The newrole non-secure terminal issue has to do with switching levels when using a pty - newrole can only relabel one end of the pty, but other end remains unchanged, thereby allowing downgrading of data. You can allow it by adding the type of your pty (e.g. unconfined_devpts_t or whatever you see as the type field of ls -Z `tty`) to /etc/selinux/targeted/contexts/securetty_types. > 3: Is there a way to get from not having a level to SystemLow-SystemHigh? First you have to authorize the user for a non-trivial range, using semanage or system-config-selinux. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list