From: paul.moore@hp.com (Paul Moore) Date: Wed, 7 Jan 2009 17:20:02 -0500 Subject: [refpolicy] [RFC] drop nodecons In-Reply-To: <1231359858.7517.30.camel@gorn> References: <1231341913.27022.20.camel@gorn.columbia.tresys.com> <200901071421.35901.paul.moore@hp.com> <1231359858.7517.30.camel@gorn> Message-ID: <200901071720.02842.paul.moore@hp.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wednesday 07 January 2009 3:24:16 pm Christopher J. PeBenito wrote: > On Wed, 2009-01-07 at 14:21 -0500, Paul Moore wrote: > > On Wednesday 07 January 2009 10:25:13 am Christopher J. PeBenito wrote: > > > Some time ago we dropped the netifcons (and related types) from > > > refpolicy, since all networking domains had access to all > > > interfaces. This made it difficult for users to label an > > > interface with a new type and have only their custom domain be > > > allowed access to that interface. So we dropped the netifcons and > > > changed the policy for networking domains to use "generic" > > > netif_t interfaces. > > > > > > I believe we should also do this with the nodecons. The main > > > issue is with MLS policy users. Some of the current nodecons > > > specify system low, but the default sensitivity (initial sid) for > > > a node is system low-system high. If we remove these system low > > > nodecons, then they would revert to system low-system high. If > > > we use the full network_node() macros only in the MLS policy, the > > > MLS policy will be broken since domains will only be allowed > > > generic node access (node_t). We could use raw netifcons and > > > label the nodes in question as node_t at system low, but this > > > could cause problems if the user also wants to change the type of > > > the node. Thoughts? > > > > From your first paragraph it sounds like this is a solved problem > > for netifcons, even in the MLS case. Why can't the same approach > > be used for netnodecons? Is it the special MLS cases where nodes > > are labeled with system low? If so, why would the change from > > system low-system high break things since the effective MLS label > > is still system low? > > > > I agree this is a good idea, I just don't understand the issue well > > enough to see the problem. > > All of the netifs are syslow-syshigh. So removing netifcons had no > MLS effect, since the netif initial sid is also syslow-syshigh. The > node case is different, as there would be an MLS effect. For > example, 0.0.0.0/32 is currently syslow. If we remove the nodecon, > 0.0.0.0/32 would become syslow-syshigh since the node initial sid is > syslow-syshigh. > > So if we don't care about the MLS effect, then I can just drop the > nodecons, and there isn't an issue. Since there are nodes that are > not syslow-syshigh, I figured that there might be some concern. Thanks for the clarification. Personally I'm not sure this is a significant concern, syslow-syshi seems reasonable to me for the default. Allowing users to customize the node labeling is a big win and should offset any problems with the move away from syslo. The next step is to get semanage to label network nodes (or fix it if it is broken). -- paul moore linux @ hp