On Tue, Jan 16, 2007 at 03:37:28PM -0500, Linda Knippers wrote: > I'm reading the discussion about xinetd and changing the default level > for regular users. What isn't clear from the discussion is what the > actual problem is that we'd be working around. > > There seems to be an issue with xinetd and ssh in the unlabeled > networking case. Sounds like xinetd gets confused with the context? > Is the suggestion to have xinetd default to some level above systemlow, > which would be the same default level for normal users? Sounds > reasonable that the two would have the same default but I don't > understand why it matters what the specific level is. Is that > related to the mail from Casey, Joe and others about the default > level for existing MLS operating systems or is there a technical > issue with default level for regular users the way it is?
The current problem is that the new ssh level selection code allows users to select levels even if labeled networking is active when using the standalone sshd. Users can only connect to sshd when their level is "SystemLow", in other cases the MLS constraints will deny the TCP connection before sshd gets it. But if a user is running at SystemLow, he can use "ssh username/user_r/[EMAIL PROTECTED]" to get a shell running at "Secret" level (assuming he's cleared for that), and the information will travel over a network connection labeled SystemLow which isn't supposed to be permitted. The sshd-via-xinetd approach which was designed for use with labeled networking doesn't have that problem, so shutting down standalone sshd when labeled networking is active would solve this issue. The reason for proposing a non-SystemLow default lower level for nonadmin users is to provide additional protection; currently "Unclassified" is mapped to "s1" while "SystemLow" is "s0", so an "Unclassified" user would not be permitted to connect to a standalone sshd running at SystemLow when labeled networking is active. -Klaus -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
