From: Joshua Brindle <method@manicmethod.com>
To: vyekkirala@TrustedCS.com
Cc: "'Paul Moore'" <paul.moore@hp.com>, John Wan <J.Wan@mbs.edu>,
selinux@tycho.nsa.gov
Subject: Re: Would the SELinux act as a TippingPoint IPS to block the nasty Trojan traffic?
Date: Wed, 11 Apr 2007 13:01:24 -0400 [thread overview]
Message-ID: <461D1464.7070607@manicmethod.com> (raw)
In-Reply-To: <000301c77c4b$83b18870$cc0a010a@tcssec.com>
Venkat Yekkirala wrote:
> Just FYI-I did propose filtering in the filter table in the past,
> and this has been on my todo list.
>
> "Implementation issues aside, lately I have been wondering about doing
> something in the filter table using something we could call secfilter
> or so.
>
> You would still use secmark to label the packets, but they (along with
> any external labels) could get filtered in the secfilter module. This
> way we could control what external labels could come thru from what peers.
> For internal labels it would be more of an assurance thing. This would also
> automatically take care of forwarding controls."
>
> More at: http://marc.info/?l=selinux&m=116232831800159&w=2
>
so from what I gather the secfilter module would be querying the selinux
policy to determine whether or not to drop something, that would mean a
change in iptables changes the enforcement policy (not just the labeling
policy as is the case now) which is a little disconcerting.
How does this work into the idea we had during the summit about SELinux
having its own table? The table would presumably be a mangle table for
labeling but could it also be a filter table? I'm not clear on what is
possible in netfilter.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-04-11 17:01 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-10 11:30 Would the SELinux act as a TippingPoint IPS to block the nasty Trojan traffic? John Wan
2007-04-10 15:18 ` Paul Moore
2007-04-11 0:11 ` Joshua Brindle
2007-04-11 2:46 ` Paul Moore
2007-04-11 2:58 ` Joshua Brindle
2007-04-11 13:16 ` Paul Moore
2007-04-11 15:10 ` Venkat Yekkirala
2007-04-11 15:17 ` Paul Moore
2007-04-12 17:39 ` Venkat Yekkirala
2007-04-11 17:01 ` Joshua Brindle [this message]
2007-04-11 17:32 ` Paul Moore
2007-04-12 17:51 ` Venkat Yekkirala
-- strict thread matches above, loose matches on Subject: below --
2007-04-12 17:52 Venkat Yekkirala
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=461D1464.7070607@manicmethod.com \
--to=method@manicmethod.com \
--cc=J.Wan@mbs.edu \
--cc=paul.moore@hp.com \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.