On Thu, 2006-06-22 at 02:12 -0700, David Miller wrote: > From: [EMAIL PROTECTED] > Date: Wed, 21 Jun 2006 15:42:38 -0400 > > > Add support for the Commercial IP Security Option (CIPSO) to the > > IPv4 network stack. CIPSO has become a de-facto standard for > > trusted/labeled networking amongst existing Trusted Operating > > Systems such as Trusted Solaris, HP-UX CMW, etc. This > > implementation is designed to be used with the NetLabel subsystem to > > provide explicit packet labeling to LSM developers. > > The thing that concerns me most about CIPSO is that even once users > migrate to a more SELINUX native approach from this CIPSO stuff, the > CIPSO code, it's bloat, and it's maintainence burdon will remain. > > It's easy to put stuff it, it's impossible to take stuff out even > once it's largely unused by even it's original target audience. > > And that's what I see happening here. > > This is why, to be perfectly honest with you, I'd much rather > something like this stay out-of-tree and people are strongly > encouraged to use the more native stuff under Linux. >
Realistically customers most likely to adopt use of SELinux are going to be ones that currently use other trusted OSs such as TSOL and HP-UX CMW. These users are unlikely to take an all (SELinux) or nothing approach. Also they are more than likely customers who will want a fully configured and supported distribution as opposed to one they'd have to patch themselves. With these points in mind I think CIPSO as a integrated interoperability mechanism is critical. FYI, over the last couple of weeks I've validated the interoperability of the CIPSO inplementation with TSOL and HP-UX CMW. Ted > -- > redhat-lspp mailing list > redhat-lspp@redhat.com > https://www.redhat.com/mailman/listinfo/redhat-lspp - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
