On Mon, 2006-07-10 at 13:56 -0700, Casey Schaufler wrote: > > --- LC Bruzenak <[EMAIL PROTECTED]> wrote: > > > Would that hinder a remote administration scenario > > where the ssh login > > occurs on a network with a default level which is > > below the high-water > > mark of the system labels but greater that the low > > level? > > > > We'd like the incoming ssh account to be a > > non-administrative role, then > > have them su/newrole to an administrative role. > > > > Do you see any issues with this? > > If there's an MLS label change you're > in trouble.
Usually there is a MLS change or privilege or both involved. > > You could argue that the administrative > facilities are composed of programs that > can be held responsible for policy > enforcement and that they can't do > anything wrong. This would be really > pushing the credibility envelope however, > and is an argument with a history of > failure. True enough, however there is a precedent of trust acceptance already there with all the Microsoft-based systems firmly in place. Regardless, I agree it is a relatively weak assertion. > You might get away with it > if the new role's shell is restricted, > in fact, this is a situation where > SELinux could provide significant > leverage should you be able to describe > the environment provided in terms of > enforcement domains. > That's what I was thinking, but doing admin "stuff" doesn't work well restricted. I was looking toward audit improvement and better analysis tools. LCB. -- LC Bruzenak [EMAIL PROTECTED] -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
