On Fri, 2006-07-07 at 15:55 -0500, Klaus Weidner wrote: > On Fri, Jul 07, 2006 at 12:48:40PM -0700, Casey Schaufler wrote: > > --- Klaus Weidner <[EMAIL PROTECTED]> wrote: > > > - on the slave end, spawn newrole to switch to a high level, send > > > your password through the pty. > > > > The newrole analog on one Unix MLS system, "su -M <maclabel>" closes > > all open descriptors to prevent such a problem. > > > > The problem here is not with the pty, rather with newrole, which > > oughtn't keep descriptors open if it is changing MLS label. > > In this case, the descriptor is the standard input and output stream that > newrole uses for interaction, including reading its password, and closing > that will make it stop working since the system doesn't have a trusted > input/output path (which is a separate problem). newrole can't tell the > difference between a legitimate pty use from ssh or in an xterm versus > the unauthorized use, and it would be a very significant restriction to > permit only console access for newrole use. > > Would it work to have newrole relabel the pty (maybe in a PAM session > module?), so that the controlling low process won't be able to read from > it?
newrole already relabels the tty. -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
