[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sshd transition points

To: Luke Kenneth Casson Leighton <lkcl@xxxxxxxx>
Subject: Re: sshd transition points
From: Stephen Smalley <sds@xxxxxxxxxxxxxx>
Date: Wed, 16 Feb 2005 12:53:38 -0500
Cc: SE-Linux <selinux@xxxxxxxxxxxxx>
In-reply-to: <20050216152644.GU31121@xxxxxxxx>
Organization: National Security Agency
References: <20050215155323.GC23765@xxxxxxxx> <1108491293.17854.153.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20050215191640.GA26294@xxxxxxxx> <1108495342.17854.200.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20050215200355.GB26294@xxxxxxxx> <20050215225329.GH26294@xxxxxxxx> <20050215231707.GC29523@xxxxxxxx> <20050216000437.GD30341@xxxxxxxx> <1108559425.19756.54.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20050216134457.GL31121@xxxxxxxx> <20050216152644.GU31121@xxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx

On Wed, 2005-02-16 at 10:26, Luke Kenneth Casson Leighton wrote:
> i aim to add a setcon() into sshd's "input_userauth_request()"
> function just after the point where the username is obtained,
> such that any unauthorised IP addresses for that username will
> immediately stop any further TCP traffic.

And this occurs in the unprivileged child process, not the monitor?  So
the unprivileged child will timeout waiting for further input, die, and
the monitor will cleanup?

> i will add a type_transition to the policy
> 
> 	 type_transition sshd_priv_t user_t:process sshd_priv_user_t;
> 
> i will temporarily use get_default_context() - if it works - to
> obtain the user_t context, as the 2nd argument to
> security_compute_create().
> 
> i will use security_compute_create() to look up the actual context
> in my type_transition policy rule (sshd_priv_user_t).

And where does sshd_priv_t come from?  Unless you make some other
change, you are still running in sshd_t at this point, right?

> i will use setcon() to actually set the required context
> (sshd_priv_user_t).
> 
> i will restrict sshd_priv_user_t to only be allowed TCP send and
> receive from a specific IP address.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton

References:
- sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Stephen Smalley
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Stephen Smalley
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Stephen Smalley
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton

Prev by Date: [owner@xxxxxxxxxxxxxxx: Bug#258725 acknowledged by developer (Bug#258725: fixed in hotplug 0.0.20040329-17)]
Next by Date: Re: sshd transition points
Previous by thread: Re: sshd transition points
Next by thread: Re: sshd transition points
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.