From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 07 Jan 2009 15:24:16 -0500
Subject: [refpolicy] [RFC] drop nodecons
In-Reply-To: <200901071421.35901.paul.moore@hp.com>
References: <1231341913.27022.20.camel@gorn.columbia.tresys.com>
	<200901071421.35901.paul.moore@hp.com>
Message-ID: <1231359858.7517.30.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2009-01-07 at 14:21 -0500, Paul Moore wrote:
> On Wednesday 07 January 2009 10:25:13 am Christopher J. PeBenito wrote:
> > Some time ago we dropped the netifcons (and related types) from
> > refpolicy, since all networking domains had access to all interfaces.
> > This made it difficult for users to label an interface with a new
> > type and have only their custom domain be allowed access to that
> > interface. So we dropped the netifcons and changed the policy for
> > networking domains to use "generic" netif_t interfaces.
> >
> > I believe we should also do this with the nodecons.  The main issue
> > is with MLS policy users.  Some of the current nodecons specify
> > system low, but the default sensitivity (initial sid) for a node is
> > system low-system high.  If we remove these system low nodecons, then
> > they would revert to system low-system high.  If we use the full
> > network_node() macros only in the MLS policy, the MLS policy will be
> > broken since domains will only be allowed generic node access
> > (node_t). We could use raw netifcons and label the nodes in question
> > as node_t at system low, but this could cause problems if the user
> > also wants to change the type of the node.  Thoughts?
> 
> From your first paragraph it sounds like this is a solved problem for 
> netifcons, even in the MLS case.  Why can't the same approach be used 
> for netnodecons?  Is it the special MLS cases where nodes are labeled 
> with system low?  If so, why would the change from system low-system 
> high break things since the effective MLS label is still system low?
> 
> I agree this is a good idea, I just don't understand the issue well 
> enough to see the problem.

All of the netifs are syslow-syshigh.  So removing netifcons had no MLS
effect, since the netif initial sid is also syslow-syshigh.  The node
case is different, as there would be an MLS effect.  For example,
0.0.0.0/32 is currently syslow.  If we remove the nodecon, 0.0.0.0/32
would become syslow-syshigh since the node initial sid is
syslow-syshigh.

So if we don't care about the MLS effect, then I can just drop the
nodecons, and there isn't an issue.  Since there are nodes that are not
syslow-syshigh, I figured that there might be some concern.

If there is a concern the options are:

1. don't drop the nodecons and related types (eg inaddr_any_node_t)
2. drop the nodecons and related types for non-MLS policies (causes a
mess of ifdef mls_enabled TE issues)
3. drop the related types in all cases, drop the nodecons for non-MLS
policies (you can't modify the type of the nodes defined in the base
module via semanage--at least, I can't get it to work)

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150