SELinux: Proof of tty
Jitesh Shah
jitesh.1337 at gmail.com
Thu Dec 1 00:20:58 UTC 2011
Hello list,
For one of my projects, I am trying to learn the internals of SELinux.
To start with, I am trying to build a minimalistic system where each
domain is confined in its own domain (With Fedora's targeted policy as
a base). One of my aims is to remove the unconfined domain totally.
It would be wishful to assume that one would never need the unconfined
domain. So, I was hoping one could create a new Linux user (say, God)
which maps to SELinux unconfined user. One can sudo to this user, but
ONLY WITH A PROOF OF TTY (physical presence).
Now, I understand all the other parts except the last part. How do I
ask SELinux to check for a tty?
I did google and stumbled upon Daniel Walsh's blog [1]. It says in one
of the paragraphs:
"SELinux can be configured to not allow unconfined logins via OpenSSH
or Grapical User Interface. This means that users that have access to
the unconfineduser domain can only login using this environment on the
TTY or access the unconfined user space via the sudo command or SU
with newrole command."
This post seems to imply that an SELinux change can affect that as
against an OpenSSH configuration change that explicitly disallows root
login. That is hopeful. The post also goes on to give an example of
how it might be done:
sudo visudo (john ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL)
So, if someone knows "john"'s password, they can switch to the
unconfined domain. But, how to add an additional constraint that also
says that physical presence is necessary to grant this access?
Thanks in advance,
Jitesh
[1] http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-eight-unconfined.html
More information about the users
mailing list