RE: gpm & mls

All of lore.kernel.org
 help / color / mirror / Atom feed

* RE: gpm & mls
@ 2006-10-02 14:42 Chad Hanson
  2006-10-02 14:47 ` Steve G
  0 siblings, 1 reply; 6+ messages in thread
From: Chad Hanson @ 2006-10-02 14:42 UTC (permalink / raw)
  To: Steve G, selinux; +Cc: redhat-lspp


It could probably be made into an object manager. For the certification, I
would suggest that gpm is disabled or removed to avoid the problem.

-Chad

> -----Original Message-----
> From: Steve G [mailto:linux_4ever@yahoo.com]
> Sent: Monday, October 02, 2006 8:06 AM
> To: selinux@tycho.nsa.gov
> Subject: gpm & mls
> 
> 
> Hi,
> 
> I was wondering if gpm should be patched to be an Object 
> Manager? The reason I
> ask is that its possible to be logged into 2 consoles at 2 
> levels. Its just a
> copy and paste to downgrade text and it is not controlled or audited.
> 
> -Steve
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> --
> This message was distributed to subscribers of the selinux 
> mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: gpm & mls
  2006-10-02 14:42 gpm & mls Chad Hanson
@ 2006-10-02 14:47 ` Steve G
  2006-10-02 16:06   ` Paul Moore
  2006-10-02 22:44   ` Russell Coker
  0 siblings, 2 replies; 6+ messages in thread
From: Steve G @ 2006-10-02 14:47 UTC (permalink / raw)
  To: Chad Hanson, selinux; +Cc: redhat-lspp


>For the certification, I would suggest that gpm is disabled or removed to avoid
>the problem.

True, but its a royal PITA to admin a machine without it.

-Steve

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: gpm & mls
  2006-10-02 14:47 ` Steve G
@ 2006-10-02 16:06   ` Paul Moore
  2006-10-02 22:44   ` Russell Coker
  1 sibling, 0 replies; 6+ messages in thread
From: Paul Moore @ 2006-10-02 16:06 UTC (permalink / raw)
  To: Steve G; +Cc: Chad Hanson, selinux, redhat-lspp

Steve G wrote:
>>For the certification, I would suggest that gpm is disabled or removed to avoid
>>the problem.
>  
> True, but its a royal PITA to admin a machine without it.

So is MLS in enforcing mode, but we suffer through it ;)

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: gpm & mls
  2006-10-02 14:47 ` Steve G
  2006-10-02 16:06   ` Paul Moore
@ 2006-10-02 22:44   ` Russell Coker
  2006-10-04 15:00     ` [redhat-lspp] " Steve Grubb
  1 sibling, 1 reply; 6+ messages in thread
From: Russell Coker @ 2006-10-02 22:44 UTC (permalink / raw)
  To: Steve G; +Cc: Chad Hanson, selinux, redhat-lspp

On Tuesday 03 October 2006 00:47, Steve G <linux_4ever@yahoo.com> wrote:
> >For the certification, I would suggest that gpm is disabled or removed to
> > avoid the problem.
>
> True, but its a royal PITA to admin a machine without it.

It shouldn't be difficult to have a configuration option for GPM to not allow 
cut/paste to different VCs.  That plus an option to flush the buffer on 
logout will prevent the use of gpm for relabelling while allowing most of the 
functionality you desire and not requiring as much work.  I'm sure that some 
non-SE Linux users would appreciate such a patch too.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [redhat-lspp] Re: gpm & mls
  2006-10-02 22:44   ` Russell Coker
@ 2006-10-04 15:00     ` Steve Grubb
  0 siblings, 0 replies; 6+ messages in thread
From: Steve Grubb @ 2006-10-04 15:00 UTC (permalink / raw)
  To: redhat-lspp, russell; +Cc: Steve G, Chad Hanson, selinux

On Monday 02 October 2006 18:44, Russell Coker wrote:
> It shouldn't be difficult to have a configuration option for GPM to not
> allow cut/paste to different VCs.

NACK.

This should not be too hard to do, the internal buffer needs to carry the 
label of the screen it was copied from and a dominance check be done before 
doing the paste. We also need to record avc denials to the audit system.

> That plus an option to flush the buffer on logout 

Yep.

-Steve

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* gpm & mls
@ 2006-10-02 13:06 Steve G
  0 siblings, 0 replies; 6+ messages in thread
From: Steve G @ 2006-10-02 13:06 UTC (permalink / raw)
  To: selinux

Hi,

I was wondering if gpm should be patched to be an Object Manager? The reason I
ask is that its possible to be logged into 2 consoles at 2 levels. Its just a
copy and paste to downgrade text and it is not controlled or audited.

-Steve

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2006-10-04 14:59 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-02 14:42 gpm & mls Chad Hanson
2006-10-02 14:47 ` Steve G
2006-10-02 16:06   ` Paul Moore
2006-10-02 22:44   ` Russell Coker
2006-10-04 15:00     ` [redhat-lspp] " Steve Grubb
  -- strict thread matches above, loose matches on Subject: below --
2006-10-02 13:06 Steve G

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.