From: sds@tycho.nsa.gov (Stephen Smalley) Date: Thu, 08 Jan 2009 09:17:11 -0500 Subject: [refpolicy] [RFC] drop nodecons In-Reply-To: <200901071720.02842.paul.moore@hp.com> References: <1231341913.27022.20.camel@gorn.columbia.tresys.com> <200901071421.35901.paul.moore@hp.com> <1231359858.7517.30.camel@gorn> <200901071720.02842.paul.moore@hp.com> Message-ID: <1231424231.14773.17.camel@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2009-01-07 at 17:20 -0500, Paul Moore wrote: > On Wednesday 07 January 2009 3:24:16 pm Christopher J. PeBenito wrote: > > On Wed, 2009-01-07 at 14:21 -0500, Paul Moore wrote: > > > On Wednesday 07 January 2009 10:25:13 am Christopher J. PeBenito > wrote: > > > > Some time ago we dropped the netifcons (and related types) from > > > > refpolicy, since all networking domains had access to all > > > > interfaces. This made it difficult for users to label an > > > > interface with a new type and have only their custom domain be > > > > allowed access to that interface. So we dropped the netifcons and > > > > changed the policy for networking domains to use "generic" > > > > netif_t interfaces. > > > > > > > > I believe we should also do this with the nodecons. The main > > > > issue is with MLS policy users. Some of the current nodecons > > > > specify system low, but the default sensitivity (initial sid) for > > > > a node is system low-system high. If we remove these system low > > > > nodecons, then they would revert to system low-system high. If > > > > we use the full network_node() macros only in the MLS policy, the > > > > MLS policy will be broken since domains will only be allowed > > > > generic node access (node_t). We could use raw netifcons and > > > > label the nodes in question as node_t at system low, but this > > > > could cause problems if the user also wants to change the type of > > > > the node. Thoughts? > > > > > > From your first paragraph it sounds like this is a solved problem > > > for netifcons, even in the MLS case. Why can't the same approach > > > be used for netnodecons? Is it the special MLS cases where nodes > > > are labeled with system low? If so, why would the change from > > > system low-system high break things since the effective MLS label > > > is still system low? > > > > > > I agree this is a good idea, I just don't understand the issue well > > > enough to see the problem. > > > > All of the netifs are syslow-syshigh. So removing netifcons had no > > MLS effect, since the netif initial sid is also syslow-syshigh. The > > node case is different, as there would be an MLS effect. For > > example, 0.0.0.0/32 is currently syslow. If we remove the nodecon, > > 0.0.0.0/32 would become syslow-syshigh since the node initial sid is > > syslow-syshigh. > > > > So if we don't care about the MLS effect, then I can just drop the > > nodecons, and there isn't an issue. Since there are nodes that are > > not syslow-syshigh, I figured that there might be some concern. > > Thanks for the clarification. Personally I'm not sure this is a > significant concern, syslow-syshi seems reasonable to me for the > default. Allowing users to customize the node labeling is a big win > and should offset any problems with the move away from syslo. > > The next step is to get semanage to label network nodes (or fix it if it > is broken). semanage node support exists, but might not correctly handle conflicting/overlapping definitions between the base policy and local customizations. See prior discussion on Adding local nodecon's through semanage on selinux list. -- Stephen Smalley National Security Agency