On Tue, 20 Jun 2006, Venkat Yekkirala wrote: > The current approach to labeling Security Associations for SELinux > purposes uses a one-to-one mapping between xfrm policy rules and > security associations. This doesn?t address the needs of real world MLS > (Multi-level System, traditional Bell-LaPadula) environments where a > single xfrm policy rule (pertaining to a range, classified to secret for > example) might need to map to multiple Security Associations (one each > for classified, secret, top secret and all the compartments applicable > to these security levels).
Can you clarify whether, with this patch, Linux will then have a complete labeled network implementation in terms of both LSPP compliance and common user requirements? > Outstanding items/issues: > - Timewait acknowledgements and such are generated in the > current/upstream implementation using a NULL socket resulting in the > any_socket sid (SYSTEM_HIGH) to be used. This problem is not addressed > by this patch set. This needs to be resolved, along with labeling for all kernel owned socket/tw objects. I'm not entirely clear on why this doesn't already work, as it is using IPsec, which should certainly be able to encapsulate all of this traffic. It would also be interesting to know what kind of testing this code as had. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
