On Sun, 2009-09-27 at 17:34 +1000, Russell Coker wrote: > On Wed, 9 Sep 2009, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > > > Secondly I don't see why a user is not able to discretionarily > > > > > specify his range outright when going via ssh just as he can with > > > > > roles. > > > > > > > > That's another artifact of the MLS model (label preservation / > > > > confinement). > > > > > > Unfortunately here I have no idea on what code should I look to remove > > > that artifact. > > > > I think it is just lack of support in sshd due to lack of interest in > > supporting it for MLS. You could add it, but you'd need to make sure > > that it doesn't break the MLS behavior, as that is the one people care > > about. > > If a user has a default range of A and they request a range of B then the same > checks could be applied as for a runcon -l B operation when the source range > was A. > > How could that break anything? 1. You can't switch levels via runcon under MLS policy - runcon runs in the caller's domain. 2. newrole -l is prohibited on an "insecure" tty under MLS policy, which means any ptys at all due to the potential for downgrading data through the pty. Same issue applies for a ssh connection. LSPP requires level preservation. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
