FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 11-30-2011, 11:20 PM
Jitesh Shah
 
Default SELinux: Proof of tty

Hello list,
For one of my projects, I am trying to learn the internals of SELinux.
To start with, I am trying to build a minimalistic system where each
domain is confined in its own domain (With Fedora's targeted policy as
a base). One of my aims is to remove the unconfined domain totally.

It would be wishful to assume that one would never need the unconfined
domain. So, I was hoping one could create a new Linux user (say, God)
which maps to SELinux unconfined user. One can sudo to this user, but
ONLY WITH A PROOF OF TTY (physical presence).

Now, I understand all the other parts except the last part. How do I
ask SELinux to check for a tty?

I did google and stumbled upon Daniel Walsh's blog [1]. It says in one
of the paragraphs:
"SELinux can be configured to not allow unconfined logins via OpenSSH
or Grapical User Interface. This means that users that have access to
the unconfineduser domain can only login using this environment on the
TTY or access the unconfined user space via the sudo command or SU
with newrole command."

This post seems to imply that an SELinux change can affect that as
against an OpenSSH configuration change that explicitly disallows root
login. That is hopeful. The post also goes on to give an example of
how it might be done:

sudo visudo (john ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL)

So, if someone knows "john"'s password, they can switch to the
unconfined domain. But, how to add an additional constraint that also
says that physical presence is necessary to grant this access?

Thanks in advance,
Jitesh


[1] http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-eight-unconfined.html
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-01-2011, 01:33 PM
Daniel J Walsh
 
Default SELinux: Proof of tty

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/30/2011 07:20 PM, Jitesh Shah wrote:
> Hello list, For one of my projects, I am trying to learn the
> internals of SELinux. To start with, I am trying to build a
> minimalistic system where each domain is confined in its own domain
> (With Fedora's targeted policy as a base). One of my aims is to
> remove the unconfined domain totally.
>
> It would be wishful to assume that one would never need the
> unconfined domain. So, I was hoping one could create a new Linux
> user (say, God) which maps to SELinux unconfined user. One can sudo
> to this user, but ONLY WITH A PROOF OF TTY (physical presence).
>
> Now, I understand all the other parts except the last part. How do
> I ask SELinux to check for a tty?
>
> I did google and stumbled upon Daniel Walsh's blog [1]. It says in
> one of the paragraphs: "SELinux can be configured to not allow
> unconfined logins via OpenSSH or Grapical User Interface. This
> means that users that have access to the unconfineduser domain can
> only login using this environment on the TTY or access the
> unconfined user space via the sudo command or SU with newrole
> command."
>
> This post seems to imply that an SELinux change can affect that as
> against an OpenSSH configuration change that explicitly disallows
> root login. That is hopeful. The post also goes on to give an
> example of how it might be done:
>
> sudo visudo (john ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r
> ALL)
>
> So, if someone knows "john"'s password, they can switch to the
> unconfined domain. But, how to add an additional constraint that
> also says that physical presence is necessary to grant this
> access?
>
> Thanks in advance, Jitesh
>
>
> [1]
> http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-eight-unconfined.html

I
>
would probably hack up sudo to run a shell that checks to make sure
the user is local, I guess on a /dev/tty rather then on a pseudo tty.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7XkCcACgkQrlYvE4MpobMLkwCfSH9NYYgz+b qYugShNNIzFR5w
TCUAn1lKYMo6PIwreDxB/bT/NJJT8715
=w81w
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-02-2011, 05:59 AM
Jitesh Shah
 
Default SELinux: Proof of tty

> I
>>
> would probably hack up sudo to run a shell that checks to make sure
> the user is local, I guess on a /dev/tty rather then on a pseudo tty.

aah I see. Makes sense. Thanks!

Jitesh
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-02-2011, 11:59 AM
Daniel J Walsh
 
Default SELinux: Proof of tty

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/02/2011 01:59 AM, Jitesh Shah wrote:
>> I
>>>
>> would probably hack up sudo to run a shell that checks to make
>> sure the user is local, I guess on a /dev/tty rather then on a
>> pseudo tty.
>
> aah I see. Makes sense. Thanks!
>
> Jitesh
Also I believe consolekit can tell you whether a user is at the
console or on a remote machine, I believe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7Yy70ACgkQrlYvE4MpobM9lQCggAvA36sEdx/nmlBFDvwuBfz8
SMcAoNX81i6xqIuccvDOuWRBDZo/yiov
=Dr9X
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 11:00 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org