From: Ryan Pratt <pratt@argus-systems.com>
To: Paul Moore <paul.moore@hp.com>
Cc: David Miller <davem@davemloft.net>,
redhat-lspp@redhat.com, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
sds@epoch.ncsc.mil, jmorris@redhat.com, sgrubb@redhat.com
Subject: Re: [RFC 3/7] NetLabel: CIPSOv4 engine
Date: Thu, 22 Jun 2006 10:57:14 -0500 [thread overview]
Message-ID: <449ABDDA.2070606@argus-systems.com> (raw)
In-Reply-To: <200606220943.11185.paul.moore@hp.com>
Paul Moore wrote:
>On Thursday 22 June 2006 5:12 am, David Miller wrote:
>
>
>>From: paul.moore@hp.com
>>Date: Wed, 21 Jun 2006 15:42:38 -0400
>>
>>
>>
>>The thing that concerns me most about CIPSO is that even once users
>>migrate to a more SELINUX native approach from this CIPSO stuff, the
>>CIPSO code, it's bloat, and it's maintainence burdon will remain.
>>
>>It's easy to put stuff it, it's impossible to take stuff out even
>>once it's largely unused by even it's original target audience.
>>
>>And that's what I see happening here.
>>
>>This is why, to be perfectly honest with you, I'd much rather
>>something like this stay out-of-tree and people are strongly
>>encouraged to use the more native stuff under Linux.
>>
>>
>
>Well, not exactly the response I was hoping for, but let me plead my case one
>more time :)
>
>Traditional MLS CIPSO is a niche "protocol", I won't try to argue that point,
>and I also won't try to argue that the NetLabel patch is late to the party,
>the IPsec/XFRM labeling approach has already been accepted as "the" SELinux
>packet labeling mechanism. However, the XFRM labeling mechanism in not
>currently supported by any OS other than Linux/SELinux. I have spoken with
>users that need CIPSO to interoperate with their other trusted systems, the
>XFRM approach is simply not a viable solution for them. I strongly believe
>that failure to support an interoperable packet labeling mechanism on Linux
>will seriously restrict Linux's deployment in trusted networks.
>
The PitBull product uses the CIPSO/RIPSO labeling protocol in order to
do interop packet labeling with other trusted systems and for passing
labels between our own systems. Because it is the standard, it is the
protocol that government agencies use to do packet labeling across
networks. Not having CIPSO in the mainline would mean that government
agencies would either a) only use SELinux from a distro that supports
the CIPSO patch (by maintaining it in their kernel themselves), if such
a distro exists, b) have to patch the kernels themselves (unlikely), or
c) not use SELinux at all.
Also, the port of PitBull to Linux that I'm working on is currently
using the netlabel patch to handle the CIPSO/RIPSO labeling. Since the
actual protocol for reading and writing out the IPSec option is
independent from the security enforcment module it makes a lot of sense
to have a generic handler in the kernel that LSM modules can use. So,
in short, it makes my life a lot easier to have all that work already
done :)
--
Ryan Pratt
Chief Solaris Engineer
Innovative Security Systems, Inc.
(dba Argus Systems Group)
1809 Woodfield Dr.
Savoy IL 61874
(217) 355-6308
www.argus-systems.com
next prev parent reply other threads:[~2006-06-22 15:53 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-21 19:42 [RFC 0/7] Updated NetLabel patch paul.moore
2006-06-21 19:42 ` [RFC 1/7] NetLabel: documentation paul.moore
2006-06-21 19:42 ` [RFC 2/7] NetLabel: core network changes paul.moore
2006-06-22 9:00 ` David Miller
2006-06-22 15:05 ` Steve Grubb
2006-06-22 18:58 ` James Morris
2006-06-22 21:32 ` David Miller
2006-06-22 9:07 ` David Miller
2006-06-22 13:20 ` Paul Moore
2006-06-21 19:42 ` [RFC 3/7] NetLabel: CIPSOv4 engine paul.moore
2006-06-22 9:12 ` David Miller
2006-06-22 13:43 ` Paul Moore
2006-06-22 15:57 ` Ryan Pratt [this message]
2006-06-23 18:48 ` Ted
2006-06-23 20:15 ` David Miller
2006-06-23 20:34 ` Ted
2006-06-23 23:24 ` James Morris
2006-06-23 23:45 ` Paul Moore
2006-06-26 15:32 ` James Morris
2006-06-26 23:14 ` [redhat-lspp] " Joe Nall
2006-06-27 0:33 ` James Morris
2006-06-27 2:45 ` Paul Moore
2006-06-27 19:41 ` Klaus Weidner
2006-06-21 19:42 ` [RFC 4/7] NetLabel: core NetLabel subsystem paul.moore
2006-06-21 19:42 ` [RFC 5/7] NetLabel: SELinux support paul.moore
2006-06-21 19:42 ` [RFC 6/7] NetLabel: CIPSOv4 integration paul.moore
2006-06-21 19:42 ` [RFC 7/7] NetLabel: unlabeled packet handling paul.moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=449ABDDA.2070606@argus-systems.com \
--to=pratt@argus-systems.com \
--cc=davem@davemloft.net \
--cc=jmorris@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul.moore@hp.com \
--cc=redhat-lspp@redhat.com \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).