On Wed, 9 Sep 2009, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > > Secondly I don't see why a user is not able to discretionarily > > > > specify his range outright when going via ssh just as he can with > > > > roles. > > > > > > That's another artifact of the MLS model (label preservation / > > > confinement). > > > > Unfortunately here I have no idea on what code should I look to remove > > that artifact. > > I think it is just lack of support in sshd due to lack of interest in > supporting it for MLS. You could add it, but you'd need to make sure > that it doesn't break the MLS behavior, as that is the one people care > about. If a user has a default range of A and they request a range of B then the same checks could be applied as for a runcon -l B operation when the source range was A. How could that break anything? -- russell@xxxxxxxxxxxx http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
