On Tue, 2006-06-13 at 17:09 -0500, Venkat Yekkirala wrote: > The current approach to labeling Security Associations for SELinux purposes > uses a one-to-one mapping between xfrm policy rules and security associations. > This doesn’t address the needs of real world MLS (Multi-level System, > traditional > Bell-LaPadula) environments where a single xfrm policy rule (pertaining to a > range, > classified to secret for example) might need to map to multiple Security > Associations > (one each for classified, secret, top secret and all the compartments > applicable to > these security levels).
What if we want to share a single IPSEC SA for a range, and use e.g. CIPSO/NetLabel to individually label traffic with individual levels within that range? Does this patch set prevent such sharing of SAs? Or is it just a matter of how we configure the policy rules for polmatch? -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
