Date: Sat, 28 Sep 2019 09:57:35 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 240891] With MAC_BIBA (presumably MAC_MLS as well) sshd cannot set the login class properly Message-ID: <bug-240891-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240891 Bug ID: 240891 Summary: With MAC_BIBA (presumably MAC_MLS as well) sshd cannot set the login class properly Product: Base System Version: 12.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: realkay@mailbox.org I *think* this is the same as https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=177698 from several years back. With the following login class in /etc/login.conf: admin:\ :label=biba/low(low-5):\ :tc=default: And with the user properly set to that login class (confirmed by grepping /etc/master.passwd), after logging in over ssh: $ id -c && getpmac daemon biba/low(low-5),partition/0 (Note that the login class is set to *daemon* .. it seems to have failed silently to set it and some default was applied) Now if we go back to login.conf and change biba/low(low-5) to biba/low(low-high): $ id -c && getpmac admin biba/low(low-high),partition/0 I am not entirely sure why this is happening, but the practical effect is removing the ability to set login classes for SSH users that cannot reach biba/high, which greatly defeats the purpose of employing MAC_BIBA to ensure the system's integrity. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-240891-227>