Re: dynamic context transitions

[Luke Kenneth Casson Leighton <lkcl@xxxxxxxx>]

On Wed, Feb 16, 2005 at 09:00:13AM -0500, Stephen Smalley wrote:
> On Wed, 2005-02-16 at 09:08, Luke Kenneth Casson Leighton wrote:
> >  in order to be able to restrict users from logging in on a per-IP
> >  basis.
> > 
> >  e.g. so restricted_user1 can ONLY ssh in from 192.168.0.223, because
> >  i set up a net_context that said so, and associated
> >  sshd_priv_restricted_user1_t with that network context
> 
> I'm not clear that this is going to work for you, or that this is the
> right approach (vs. using iptables and multiple sshd instances running
> in different security contexts and listening on different ports
> initially).  

 this is the temporary approach that i have in fact taken.


 think in terms of maybe having to add a dozen or more different
 "zones".

 eth0 -> iptables -> /usr/sbin/sshd_eth0 -> restricted_user0
 eth1 -> iptables -> /usr/sbin/sshd_eth1 -> restricted_user1
 ....
 ....
 eth100 -> iptables -> /usr/sbin/sshd_eth100-> restricted_user100

 and it _very_ quickly becomes unmanageable - some time after the
 first two users are added.

 the requirements are such that there will be several different
 users with several different ip addresses / zones from which
 those users need to be restricted.

 i can forsee a point where the customer is going to bitch at me
 to provide a solution.
 

> Further, I'm not sure where you are going to perform these
> dynamic context transitions, as the user isn't authenticated when the
> monitor and unprivileged child are created.  

 do_authentication2() - just afer the username is determined.

 auth2.c's input_userauth_request().
 
 after "user = packet_get_string(NULL)"

 i hope :)

 l.

-- 
--
<a href="http://lkcl.net";>http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.