Paul Moore wrote:
On Thursday 22 June 2006 5:12 am, David Miller wrote:
From: [EMAIL PROTECTED]
Date: Wed, 21 Jun 2006 15:42:38 -0400
The thing that concerns me most about CIPSO is that even once users
migrate to a more SELINUX native approach from this CIPSO stuff, the
CIPSO code, it's bloat, and it's maintainence burdon will remain.
It's easy to put stuff it, it's impossible to take stuff out even
once it's largely unused by even it's original target audience.
And that's what I see happening here.
This is why, to be perfectly honest with you, I'd much rather
something like this stay out-of-tree and people are strongly
encouraged to use the more native stuff under Linux.
Well, not exactly the response I was hoping for, but let me plead my case one
more time :)
Traditional MLS CIPSO is a niche "protocol", I won't try to argue that point,
and I also won't try to argue that the NetLabel patch is late to the party,
the IPsec/XFRM labeling approach has already been accepted as "the" SELinux
packet labeling mechanism. However, the XFRM labeling mechanism in not
currently supported by any OS other than Linux/SELinux. I have spoken with
users that need CIPSO to interoperate with their other trusted systems, the
XFRM approach is simply not a viable solution for them. I strongly believe
that failure to support an interoperable packet labeling mechanism on Linux
will seriously restrict Linux's deployment in trusted networks.
The PitBull product uses the CIPSO/RIPSO labeling protocol in order to
do interop packet labeling with other trusted systems and for passing
labels between our own systems. Because it is the standard, it is the
protocol that government agencies use to do packet labeling across
networks. Not having CIPSO in the mainline would mean that government
agencies would either a) only use SELinux from a distro that supports
the CIPSO patch (by maintaining it in their kernel themselves), if such
a distro exists, b) have to patch the kernels themselves (unlikely), or
c) not use SELinux at all.
Also, the port of PitBull to Linux that I'm working on is currently
using the netlabel patch to handle the CIPSO/RIPSO labeling. Since the
actual protocol for reading and writing out the IPSec option is
independent from the security enforcment module it makes a lot of sense
to have a generic handler in the kernel that LSM modules can use. So,
in short, it makes my life a lot easier to have all that work already
done :)
--
Ryan Pratt
Chief Solaris Engineer
Innovative Security Systems, Inc.
(dba Argus Systems Group)
1809 Woodfield Dr.
Savoy IL 61874
(217) 355-6308
www.argus-systems.com
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html