On Fri, 23 Jun 2006, Ted wrote:
> I can guarantee that initially SELinux adoption will be by those running
> trusted OSs and they will want their systems to be able to interoperate
> at level. The idea that IPSEC will fill this need in the near term is
> just not realistic.
SELinux is already being adopted for all kinds of needs.
In many cases, people have been using MLS because that's all there is in
terms of MAC operating systems, and would actually be much better off with
Type Enforcement for new deployments.
MLS solves a very narrow (albeit important) case, whereas TE is designed
to be generic. Typically, MLS is indicated when you have a very large
number of domains to separate (e.g. many hundreds or thousands of
compartments with hierarchical properites).
SELinux provides MLS support, and has a generic labeled networking
framework ("xfrm labeling"). Some further work is needed for xfrm
labeling to provide a complete MLS solution, which TCS and co have been
working on.
The general idea is that we're working on new, inherently flexible
security schemes for Linux, which will meet a wider range of requirements
and be available as standard features of mainstream distros.
Support for interoperability with legacy CIPSO systems is something that I
think would be nice to have, if it can be done in a way which doesn't
impact deeply on core kernel code, and plays nicely with native Linux
infrastructure.
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
