--- James Antill <[EMAIL PROTECTED]> wrote:
> On Thu, 2006-10-19 at 09:30 -0400, Stephen Smalley > wrote: > > > pam_selinux used to have support to let the user > pick from the list of > > reachable contexts for the user. So you could > just restore that > > support. > > So, in summary of the discussion, having > pam_selinux let the user pick > the TE and Sensitivity separately (much as it does > now if > get_ordered_context_list_with_level() fails) is the > valid approach? On Trix you can specify the MAC and Capabilities this way, so it seems you ought to be able to specify Sensitivity and TE on SELinux. > > That doesn't address sshd though. Or gdm. sshd > shouldn't be too > > difficult. > > Combined with adding similar code to sshd. Just a heads up, you want to do this, but you may not be able to get an evaluation team to allow it in an evaluated configuration. > > There were some externally developed gdm patches > for selinux > > that enabled context selection long ago, but > nothing recent > > (pre-Fedora). > > But, from the "gdm/trsuted-X needs lots more work" > discussion, gdm > should just stay with the default Sensitivity and > people can use a > terminal+ssh to change levels? The MLS-ignorant Xserver should not be able to communicate with clients run with a different MLS value, but this trick ought to work, providing further assurance that allowing the option to specific MLS value when you login (ssh) over a network connection won't get past the evaluators. Plus, it will only work for terminals, not for launching X clients. Casey Schaufler [EMAIL PROTECTED] -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
