From: chanson@TrustedCS.com (chanson at TrustedCS.com)
Date: Fri, 13 Feb 2009 17:17:13 -0500
Subject: [refpolicy] [PATCH] refpolicy: Add missing network related
	MLSconstraints
References: <20090212211531.619341973@hp.com>
	<200902131544.42460.paul.moore@hp.com> <4995E83B.1040003@sun.com>
	<200902131702.10467.paul.moore@hp.com>
Message-ID: <170D6ABBBA770349AA49582A86FCED15BA0238@HAVOC.tcs-sec.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

You are correct, we want to keep the existing overrides, but not provide
anymore overrides. The network interface / node checking rope should be
very short. The few exceptions of unlabeled_t or kernel_t. kernel_t was
necessary for nfs awhile back (may not be necessary now), probably
iSCSI, or basically things where the kernel is generating the packet
instead of a process and not assuming other credentials.  

-Chad

> 
> > In Solaris Trusted Extensions, neither the net_mac_read, 
> > net_mac_write, nor net_repy_equal privileges are 
> implemented. It was 
> > viewed as a weakness in Trusted Solaris that MAC could be 
> overridden by privilege.
> > Instead, the administrator (who configures the system 
> network policy) 
> > can enumerate multilevel network ports, and appropriately 
> privileged 
> > services can bind to them.
> 
> I assume by multilevel network ports you are talking about 
> port polyinstantiation and not a single (in every sense of 
> the word) port that allows a range of labels?
> 
> If we assume polyports then I agree that it makes perfect 
> sense to try and work around the MLS constraints.  I wonder 
> about some privileged apps but I would need to think about 
> that some more.
> 
> > Since MLS constraints are relatively new to UNIX, there isn't a 
> > compatibility requirement that the superuser should be able to 
> > override it. So don't provide any more rope than you need to.
> 
> Well, the MLS constraints aren't all that new to SELinux and 
> several already exist in the networking space (the patch 
> above didn't create any new ones, just used the existing 
> constraints).  As I understand it, the SELinux constraints 
> are also quite different from the TSOL/TX privileges; I'll 
> concede that they are both rope, but I think the lengths are 
> quite different ;)
> 
> Perhaps I'm missing something but I'm pretty sure that 
> without any form of polyports (I highly doubt we will see 
> these anytime soon) we are going to need/want network MLS 
> constraint overrides.
>