On Sat, Jul 08, 2006 at 12:10:05PM -0700, Casey Schaufler wrote: > The labeled network mechanism won't allow > the relabeled process to communicate over > the labeled socket in any case because doing > so would violate the MLS enforcement on the > socket. Even if newrole does provide either > of these strictly illegal facilities you still > have the problem of communicating with the > remote host. An implementation must not allow > a process to inaccurately associate the MLS > label of the data transmitted over a socket. > > The newrole program can behave safely, or it > can provide convinience, but it can not do both. > Changing a session MLS label in an environment > that preserves existing state is not going to > work because of the existing state.
I mostly agree with your analysis - using "newrole -l" to change the active label can't work safely together with labeled networking. More generally, it should not work whenever the communication channel involves talking to processes or labeled devices that can't be completely relabeled. It should be ok to use newrole on a local or serial console where the entire communication chain to the user can be relabeled sanely, but ssh logins should force the session to run at the label of the incoming network connection. -Klaus -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
