IPv6 netmask in nodecon statement

IPv6 netmask in nodecon statement

[Christian Göttsche]

Hi,

what is the correct way of specifying an ipv6 netmask in the nodecon statement?
I am searching for a valid netmask for localhost (::1).
'fe80::/10' should be one, but since the syntax does not support any
prefix-length, this is not compiling.
Using 'fe80::' seems to work fine, but setools is complaining [1].
Or should I use the full netmask: 'ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' ?


[1]: https://github.com/SELinuxProject/setools/issues/40

Re: IPv6 netmask in nodecon statement

[Stephen Smalley]

On 2/5/20 12:23 PM, Christian Göttsche wrote:
> Hi,
> 
> what is the correct way of specifying an ipv6 netmask in the nodecon statement?
> I am searching for a valid netmask for localhost (::1).
> 'fe80::/10' should be one, but since the syntax does not support any
> prefix-length, this is not compiling.
> Using 'fe80::' seems to work fine, but setools is complaining [1].
> Or should I use the full netmask: 'ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' ?
> 
> 
> [1]: https://github.com/SELinuxProject/setools/issues/40

I think the userspace uses inet_pton(3) to convert both the mask and the 
address strings to values, so it would have to be something accepted by 
inet_pton(3).

In theory one could alter the userspace scanners/parsers and code to 
also support the slash notation and use inet_net_pton(3) instead for the 
mask.  Don't think that was available when we started or at least didn't 
know about it and it is a non-standard interface,
http://man7.org/linux/man-pages/man3/inet_net_pton.3.html