From: Paul Moore <paul.moore@hp.com>
To: Joshua Brindle <jbrindle@tresys.com>
Cc: Venkat Yekkirala <vyekkirala@TrustedCS.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Joy Latten <latten@us.ibm.com>,
selinux@tycho.nsa.gov
Subject: Re: ipsec and getpeercon()
Date: Fri, 01 Sep 2006 11:40:49 -0400 [thread overview]
Message-ID: <44F85481.80203@hp.com> (raw)
In-Reply-To: <1157124313.20971.27.camel@twoface.columbia.tresys.com>
Joshua Brindle wrote:
> Hrm, am I right in understanding that the selinux context from one
> machine is never sent over ipsec to the destination?
>
> What you talk about above (using static SA's which refer to different
> contexts on each side) is doable but seems inconvenient and fragile
> (multiple client domains talking to the same destination daemon using
> lots of SA's that have to be managed).
>
> One option (maybe) is to get racoon to send the context of the
> connecting domain as part of the negotiation, this still requires lots
> of SA's.
>
> Another way is if I could have a local proxy that has a single SA to the
> destination machine and can send an appropriate context in the AH or ESP
> header (in the authentication data field? I don't now the ipsec spec at
> all so I'm not sure if any of this is possible, please let me know if
> not so I can start looking elsewhere).
>
> Note that we may be sending contexts that aren't even valid on the local
> machine, but would be valid on the destination machine.
>
> is any of this possible?
WARNING: *shameless* plug ahead, read at your own risk :)
NetLabel takes it's security context directly from the socket which is
writing the data to the network, not from a separate source. This
allows for the dynamic context packet labeling I think you are looking
for ... yes?
However, in the interest of full disclosure I should point out that
currently NetLabel only supports the MLS label portion of the context
but I plan on extending that in the future. Also, NetLabel only offers
packet labeling, not packet autentication or encryption like IPsec.
However, NetLabel could be used in conjunction with regular IPsec
without problems. This would allow you a dynamically labeled, secure
connection between two parties with as few SAs as you desire.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-09-01 15:40 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-01 14:35 ipsec and getpeercon() Venkat Yekkirala
2006-09-01 15:25 ` Joshua Brindle
2006-09-01 15:40 ` Paul Moore [this message]
2006-09-04 12:59 ` Joshua Brindle
2006-09-05 3:50 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2006-09-06 16:20 Venkat Yekkirala
2006-09-06 16:19 Venkat Yekkirala
2006-09-05 20:04 Venkat Yekkirala
2006-09-05 20:01 Venkat Yekkirala
2006-09-06 15:55 ` Joshua Brindle
2006-09-05 16:42 Venkat Yekkirala
2006-09-05 17:10 ` Paul Moore
2006-09-05 16:27 Venkat Yekkirala
2006-09-05 16:14 Venkat Yekkirala
2006-09-05 16:27 ` Paul Moore
2006-09-05 15:43 Venkat Yekkirala
2006-09-05 16:01 ` Paul Moore
2006-09-05 14:36 Joy Latten
2006-09-01 22:42 Joy Latten
2006-09-01 20:49 Venkat Yekkirala
2006-09-01 20:58 ` Paul Moore
2006-09-01 22:32 ` Paul Moore
2006-09-04 18:51 ` Joshua Brindle
2006-09-05 4:00 ` Paul Moore
2006-09-05 11:53 ` Joshua Brindle
2006-09-05 15:15 ` Paul Moore
2006-09-01 20:35 Venkat Yekkirala
2006-09-04 12:38 ` Joshua Brindle
2006-09-01 19:52 Joy Latten
2006-09-01 19:47 Joy Latten
2006-09-01 20:19 ` Paul Moore
2006-09-04 12:43 ` Joshua Brindle
2006-09-05 3:32 ` Paul Moore
2006-09-05 11:58 ` Joshua Brindle
2006-09-05 13:31 ` Stephen Smalley
2006-09-05 13:34 ` Joshua Brindle
2006-09-05 15:24 ` Paul Moore
2006-09-05 15:22 ` Paul Moore
2006-09-01 19:41 Venkat Yekkirala
2006-09-01 19:34 Venkat Yekkirala
2006-09-01 18:17 Joy Latten
2006-09-01 15:49 Venkat Yekkirala
2006-09-01 16:52 ` Stephen Smalley
2006-09-01 17:48 ` Joshua Brindle
2006-09-01 13:16 Venkat Yekkirala
2006-09-01 13:41 ` Stephen Smalley
2006-08-30 16:43 Venkat Yekkirala
2006-09-01 12:15 ` Joshua Brindle
2006-08-29 18:08 Joshua Brindle
2006-08-29 18:20 ` Joshua Brindle
2006-08-29 18:28 ` Paul Moore
2006-08-29 19:28 ` Paul Moore
2006-08-29 19:37 ` Stephen Smalley
2006-08-29 19:46 ` Joshua Brindle
2006-08-29 20:25 ` Stephen Smalley
2006-08-29 20:32 ` Stephen Smalley
2006-08-29 21:11 ` Klaus Weidner
2006-08-30 11:28 ` Stephen Smalley
2006-08-29 22:37 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44F85481.80203@hp.com \
--to=paul.moore@hp.com \
--cc=jbrindle@tresys.com \
--cc=latten@us.ibm.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.