[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[redhat-lspp] Re: [RFC 3/7] NetLabel: CIPSOv4 engine
- From: David Miller <davem davemloft net>
- To: paul moore hp com
- Cc: jmorris redhat com, sds epoch ncsc mil, redhat-lspp redhat com, linux-security-module vger kernel org, selinux tycho nsa gov, netdev vger kernel org, sgrubb redhat com
- Subject: [redhat-lspp] Re: [RFC 3/7] NetLabel: CIPSOv4 engine
- Date: Thu, 22 Jun 2006 02:12:23 -0700 (PDT)
From: paul moore hp com
Date: Wed, 21 Jun 2006 15:42:38 -0400
> Add support for the Commercial IP Security Option (CIPSO) to the
> IPv4 network stack. CIPSO has become a de-facto standard for
> trusted/labeled networking amongst existing Trusted Operating
> Systems such as Trusted Solaris, HP-UX CMW, etc. This
> implementation is designed to be used with the NetLabel subsystem to
> provide explicit packet labeling to LSM developers.
The thing that concerns me most about CIPSO is that even once users
migrate to a more SELINUX native approach from this CIPSO stuff, the
CIPSO code, it's bloat, and it's maintainence burdon will remain.
It's easy to put stuff it, it's impossible to take stuff out even
once it's largely unused by even it's original target audience.
And that's what I see happening here.
This is why, to be perfectly honest with you, I'd much rather
something like this stay out-of-tree and people are strongly
encouraged to use the more native stuff under Linux.
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]