Re: newrole - adding capabilities for polyinstantiation

[Klaus Weidner <klaus@atsec.com>]

On Wed, Oct 04, 2006 at 09:52:02AM +1000, Russell Coker wrote:
> On Wednesday 04 October 2006 08:40, Michael C Thompson <thompsmc@us.ibm.com> 
> wrote:
> > There are a few concerns which have arisen due to this polyinstantiation
> > and suid newrole work. One such concern is that with labeled networking,
> > using newrole to change your MLS level will not work as intended, since
> > the relabeled tty will not be able to talk to the socket. This would
> > limit using newrole to manipulate our MLS to the console, and would
> > leave newrole capable of only changing the role and type on network
> > connections.
> 
> What do you mean?
> 
> You have sshd talking to /dev/ptmx and the shell talking to /dev/pts/X.  
> If /dev/pts/X is relabeled to a different range then sshd will still keep 
> talking to /dev/ptmx without any change (in fact sshd can't conveniently know 
> about this change).

But that's not supposed to work, see:

	https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200110

and the thread that Stephen Smalley also referred to:

	http://www.redhat.com/archives/redhat-lspp/2006-July/msg00024.html

The communication between the master and slave ends of the pty violates
the MLS policy, and makes it easy for unprivileged users to violate the
policy restrictions.

LSPP is not concerned with covert channels, but the pty hole isn't
covert, it's a direct use of official interfaces according to their
specification, and that's not acceptable for an evaluation.

Unfortunately this means that the current system will make "newrole -l"
essentially useless over ssh sessions, and since there is no support for
selecting a level at login time it may be necessary to use workarounds,
such as creating multiple Linux usernames mapped to the same UID but with
different default MLS levels (configured via "semanage login"). (I've
just tested that - it works, but I'm not sure if that's how people expect
the system to behave.)

> Also for an X session it's quite viable to ssh to localhost from an xterm to 
> create a session with a different context, and that is no more difficult than 
> running newrole.  I am not advocating doing this, just noting that it is 
> possible.

Well, this should only work if you have a proper MLS aware desktop that
can prevent cut&paste between the sessions at various levels, and would
require MLS override capabilites for the X server and/or window manager.

Currently, even localhost networking is supposed to be labeled, so you
wouldn't be able to use a SSH session running at a different label for
communication.

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.