On Thu, 2007-01-18 at 17:07 -0600, Klaus Weidner wrote: > On Tue, Jan 16, 2007 at 03:37:28PM -0500, Linda Knippers wrote: > > I'm reading the discussion about xinetd and changing the default level > > for regular users. What isn't clear from the discussion is what the > > actual problem is that we'd be working around. > > > > There seems to be an issue with xinetd and ssh in the unlabeled > > networking case. Sounds like xinetd gets confused with the context? > > Is the suggestion to have xinetd default to some level above systemlow, > > which would be the same default level for normal users? Sounds > > reasonable that the two would have the same default but I don't > > understand why it matters what the specific level is. Is that > > related to the mail from Casey, Joe and others about the default > > level for existing MLS operating systems or is there a technical > > issue with default level for regular users the way it is? > > The current problem is that the new ssh level selection code allows users > to select levels even if labeled networking is active when using the > standalone sshd. > > Users can only connect to sshd when their level is "SystemLow", in other > cases the MLS constraints will deny the TCP connection before sshd gets > it. But if a user is running at SystemLow, he can use "ssh > username/user_r/[EMAIL PROTECTED]" to get a shell running at "Secret" > level (assuming he's cleared for that), and the information will travel > over a network connection labeled SystemLow which isn't supposed to be > permitted. > > The sshd-via-xinetd approach which was designed for use with labeled > networking doesn't have that problem, so shutting down standalone sshd > when labeled networking is active would solve this issue. > > The reason for proposing a non-SystemLow default lower level for nonadmin > users is to provide additional protection; currently "Unclassified" is > mapped to "s1" while "SystemLow" is "s0", so an "Unclassified" user would > not be permitted to connect to a standalone sshd running at SystemLow > when labeled networking is active.
Changing the default user level would have implications for file labeling too - you'd have to decide what files to leave in s0 and which ones to move up to s1 (obviously the user home directories, but it would involve more than that), and then work through what programs suddenly need MLS overrides to continue working as expected (if they happen to modify any of the system files you left in s0). -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
