bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Selinux bash prompt decorations


From: Chet Ramey
Subject: Re: Selinux bash prompt decorations
Date: Tue, 04 Apr 2006 16:43:16 -0400
User-agent: Thunderbird 1.5 (Macintosh/20051201)

Steve Grubb wrote:
> On Tuesday 04 April 2006 15:51, Chet Ramey wrote:
>> Are these values available to the user any other way -- say, through
>> environment or shell variables?
> 
> No, they aren't available this way.
> 
>> How about commands whose output may be assigned to shell variables?
> 
> Yes, they can be acquired in a number of ways. But what we are trying to do 
> is 
> set things up so that people using this in a classified environment have an 
> easy way to see what the session is running at. So, if you have multiple 
> terminals open, you can see one session running at public, another at 
> confidential, or another at secret. Or if they are running one window as 
> secadm role and another at sysadm role, they can easily tell which is which.
> 
> This is more of an idea about helping the user to see what security level 
> each 
> of these are running at. If, for example, they copy something from secret 
> window and paste into public window, that will likely cause an audit event to 
> be generated and security officers ask them what they were doing. If the user 
> knew the sessions were at different levels, they wouldn't have tried it. (The 
> security target assumes users are well behaved.)
> 
> Hope this helps explain what we are thinking about...

I had a pretty good idea about the motivation.  However, it introduces
dependencies on uncommon libraries, and does not have wide
applicability, so I am trying to figure out if it can be done using
existing mechanisms.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
( ``Discere est Dolere'' -- chet )
                                       Live Strong.  No day but today.
Chet Ramey, ITS, CWRU    address@hidden    http://cnswww.cns.cwru.edu/~chet/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]