Re: MLS telnet question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2010-04-09 at 08:02 -0400, Benedict, Phillip M wrote:
>  
> 
> Hello,
> 
>  
> 
> I am trying to come to a solution regarding the use of telnet on our
> MLS system. ( I know, … the decision to use it was made above me ) . L
> 
>  
> 
> What we have is a RHEL 5.3 system with the RedHat MLS policy
> installed. 
> 
> The system has multiple physical NICs attached to different networks.
> 
> Each network is designated for it’s own sensitivity level. ( so we
> might have one network for s1:c20, one for s2:c40 etc…)
> 
> User accounts are created with sensitivity labeling via semange. ( so
> we might have: user1 with s1:c20, and user2 with s2:c40 etc… )
> 
> The network does not carry any cipso data for evaluation by my server,
> so I don’t think I can use netlabel. 
> 
>  
> 
> Questions:
> 
> If I use IPTables/SECMARK to apply sensitivity labels to the packets
> as they come into the system, will xinetd spawn the telnet session
> with a matching sensitivity?  ( currently the telnet sessions are
> spawned at SystemLow-SystemHigh )

No.  iptables/secmark labels are only used for access control checks;
they are not "peer contexts" unlike NetLabel or labeled IPSEC.

xinetd.conf does have a LABELED flag that can be used to cause a tcp
non-waiting service to be created in the same context as the connecting
client, but that will only work if using a labeled networking mechanism
like NetLabel or labeled IPSEC.

> If telnet is spawned with the appropriate sensitivity, will SELinux
> disallow a users login who do not have  a matching sensitivity?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux