On Thu, 2006-06-22 at 13:59 -0600, Eric W. Biederman wrote: > "Serge E. Hallyn" <[EMAIL PROTECTED]> writes: > > > Quoting Paul Moore ([EMAIL PROTECTED]): > >> > >> If I am understanding you correctly this just sounds like adding IP > >> aliases to an interface, or just simply adding a new NIC, and assigning > >> each address to a network namespace. While it's easy to do and even > >> easier to secure I don't think it addresses the problem we are trying to > >> solve - port polyinstantiation - where you can have multiple > >> applications bound to the same IP/protocol/port with the only difference > >> being the application's security label. > > > > I'm really not the expert here, but nevertheless according to what I've > > heard from at least the PlanetLab guys, we may not need to use nat - > > having multiple containers with the same IP address may be possible. > > So no. No nat needed. > > All you have to do is setup a network namespace as a router that routes > packets by security label to different network namespaces. > > OUTSIDE WORLD > | > v > > ROUTER -> SECURITY SPACE 1 > | \ > | v > | SECURITY SPACE 2 > v > SECUIRITY SPACE 3 > > > The destination network namespaces are effectively different network > stacks so they can be configured however you want. > > So a network namespace should be able to solve a port polyinstantiation > problem. Allowing you to bind multiple applications to INADDR_ANY > with the same protocol and port on the same machine. > > I have a hard time arguing for this case because I can't think of > a good reason to implement port polyinstantiation.
We demo'd a system last year on TSOL where we created polyinstantiated directories and installed Apache Tomcat, Liferay (portal) and MySQL. MySQL was used to hold the portal configuration. On the portal we had a portlet that queried at level a database hosted on a HP-UX CMW using a web service. We browsed to these portal instances at level using the TSOL Session Server. All of the web servers accepted connections on the same port and internally all of the MySQL instances communicated with the portal code via the same port but they were all running at different levels. We'd very much like to be able to do something similar on SELinux at least until the tools catch. > > Eric -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
