Hello, I’m watching SELinux mailing list since a few months and it’s my first time here to ask a question. I haven’t found the answer for this one anywhere, so maybe you guys would help me, or maybe there’s no such thing I’ve imagined. But let’s move to the main part, I have two questions are related examples… 1) It is possible to authenticate user in different way for each of the roles he’s in? When the user is logged in and had the role of staff_r, he would type newrole command and depending on the new role given as an argument he would be asked about different passwords in each case. The default password for the account would not allow him to be authenticated and gain higher privileges in the system. This scenario may looks like a bit of abuse of using single account by different people who has different passwords to authenticate but in fact there might be real world examples of this situation. In example, you could switch to some kind of sandbox role without using predefined shell binary only the newrole itself. Another example when you’re logging in from untrusted source and you could consider that all of your moves are being logged - having separate passwords for different roles would give the attacker access to only part of the system, not the whole one. These examples may look a bit of naive but I’m interested mainly in the idea pointed in the question and there’re only here to illustrate the situation. 2) Could the method of authentication and source of authentication request be used to determine the role a user should be in by default? And in this case I've imagined it in the following way. We can also assume that the primary role for the user is staff_r. a) If the user is logged in locally (using tty, not pty as in case of sshd remote access) he could be authorized as sysadm_r without further authentication. b) If the user is logged in using ssh from trusted source (trusted IP address, trusted subnetwork) then he could be authorized as sysadm_r without further authentication. c) If the user is logged in using ssh but he had used his private key rather than a passphrase for authentication then he could be authorized as sysadm_r without further authentication. Once more, these are just examples. As far as I’ve researched, the second scenario could be a good example of SELinux aware software and as I guest at least in b) and c) case it should be implemented directly in sshd, and then sshd could be able to decide how to handle user roles. Do you know if there’s any thing like that currently implemented? And about the first case, could PAM be used somehow to deal with the mentioned problem, or maybe some other existing authentication system? I know that SELinux is used to being Type-Based Access Control rather that Role-Based Access Control and these stories I’ve presented are just examples of RBAC but in fact there’s such thing as role in SELinux, so why not use it in this way? :) Thanks, Krzysztof Katowicz-Kowalewski
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
