-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/30/2011 07:20 PM, Jitesh Shah wrote:
Hello list, For one of my projects, I am trying to learn the internals of SELinux. To start with, I am trying to build a minimalistic system where each domain is confined in its own domain (With Fedora's targeted policy as a base). One of my aims is to remove the unconfined domain totally.
It would be wishful to assume that one would never need the unconfined domain. So, I was hoping one could create a new Linux user (say, God) which maps to SELinux unconfined user. One can sudo to this user, but ONLY WITH A PROOF OF TTY (physical presence).
Now, I understand all the other parts except the last part. How do I ask SELinux to check for a tty?
I did google and stumbled upon Daniel Walsh's blog [1]. It says in one of the paragraphs: "SELinux can be configured to not allow unconfined logins via OpenSSH or Grapical User Interface. This means that users that have access to the unconfineduser domain can only login using this environment on the TTY or access the unconfined user space via the sudo command or SU with newrole command."
This post seems to imply that an SELinux change can affect that as against an OpenSSH configuration change that explicitly disallows root login. That is hopeful. The post also goes on to give an example of how it might be done:
sudo visudo (john ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL)
So, if someone knows "john"'s password, they can switch to the unconfined domain. But, how to add an additional constraint that also says that physical presence is necessary to grant this access?
Thanks in advance, Jitesh
[1] http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-eight-unconfin...
I
would probably hack up sudo to run a shell that checks to make sure the user is local, I guess on a /dev/tty rather then on a pseudo tty.