gpm & mls

gpm & mls

[Steve G]

Hi,

I was wondering if gpm should be patched to be an Object Manager? The reason I
ask is that its possible to be logged into 2 consoles at 2 levels. Its just a
copy and paste to downgrade text and it is not controlled or audited.

-Steve

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: gpm & mls

[Chad Hanson]

It could probably be made into an object manager. For the certification, I
would suggest that gpm is disabled or removed to avoid the problem.

-Chad

> -----Original Message-----
> From: Steve G [mailto:linux_4ever@yahoo.com]
> Sent: Monday, October 02, 2006 8:06 AM
> To: selinux@tycho.nsa.gov
> Subject: gpm & mls
> 
> 
> Hi,
> 
> I was wondering if gpm should be patched to be an Object 
> Manager? The reason I
> ask is that its possible to be logged into 2 consoles at 2 
> levels. Its just a
> copy and paste to downgrade text and it is not controlled or audited.
> 
> -Steve
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> --
> This message was distributed to subscribers of the selinux 
> mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: gpm & mls

[Steve G]

>For the certification, I would suggest that gpm is disabled or removed to avoid
>the problem.

True, but its a royal PITA to admin a machine without it.

-Steve

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gpm & mls

[Paul Moore]

Steve G wrote:
>>For the certification, I would suggest that gpm is disabled or removed to avoid
>>the problem.
>  
> True, but its a royal PITA to admin a machine without it.

So is MLS in enforcing mode, but we suffer through it ;)

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gpm & mls

[Russell Coker]

On Tuesday 03 October 2006 00:47, Steve G <linux_4ever@yahoo.com> wrote:
> >For the certification, I would suggest that gpm is disabled or removed to
> > avoid the problem.
>
> True, but its a royal PITA to admin a machine without it.

It shouldn't be difficult to have a configuration option for GPM to not allow 
cut/paste to different VCs.  That plus an option to flush the buffer on 
logout will prevent the use of gpm for relabelling while allowing most of the 
functionality you desire and not requiring as much work.  I'm sure that some 
non-SE Linux users would appreciate such a patch too.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [redhat-lspp] Re: gpm & mls

[Steve Grubb]

On Monday 02 October 2006 18:44, Russell Coker wrote:
> It shouldn't be difficult to have a configuration option for GPM to not
> allow cut/paste to different VCs.

NACK.

This should not be too hard to do, the internal buffer needs to carry the 
label of the screen it was copied from and a dominance check be done before 
doing the paste. We also need to record avc denials to the audit system.

> That plus an option to flush the buffer on logout 

Yep.

-Steve

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.