[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: dynamic context transitions
On Wed, 2005-02-16 at 09:08, Luke Kenneth Casson Leighton wrote:
> in order to be able to restrict users from logging in on a per-IP
> basis.
>
> e.g. so restricted_user1 can ONLY ssh in from 192.168.0.223, because
> i set up a net_context that said so, and associated
> sshd_priv_restricted_user1_t with that network context
I'm not clear that this is going to work for you, or that this is the
right approach (vs. using iptables and multiple sshd instances running
in different security contexts and listening on different ports
initially). Further, I'm not sure where you are going to perform these
dynamic context transitions, as the user isn't authenticated when the
monitor and unprivileged child are created.
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
This mailing list archive is a service of Copilot Consulting.