[redhat-lspp] [RFC] A Proposal for CIPSO on Linux (again)
James Morris
jmorris at redhat.com
Wed Oct 26 04:05:01 UTC 2005
On Tue, 25 Oct 2005, Paul Moore wrote:
> ip_options.c (to make it CIPSO aware) and a new netfilter module. I believe
> all of the access decisions and packet labeling can be done using the existing
> LSM hooks. I would greatly appreciate any feedback you can offer.
I suspect this can be done without impacting too negatively on mainline.
As Chris suggested, you'll need to verify the label for each incoming
fragment. You could also consider not supporting IP fragmentation when
labeling is enabled (dropping or rejecting them via netfilter and ensuring
the system is configured correctly). Fragmentation is really only used
for NFS over UDP, and NFS over TCP is the way to go anyway.
I'm not sure why you'd need a separate netfilter module to check packets.
Just check them from within SELinux, which itself can use the Netfilter
API.
Technical issues aside, I think you can make an argument to support CIPSO
options in mainline for the same reasons there are legacy filesystems in
the kernel. Whether CIPSO is a transitional technology or not is not
really our concern here. You could almost say the same thing about MLS
itself.
Mainline inclusion of CIPSO code can probably be justified with:
- the fact that people are using it at all
- providing interoperability with other production OSs
- an implementation which doesn't negatively impact on non-users
- isolating the code (e.g. making it configurable, and easy for
maintainers to deal with)
- commitment to maintaining the code from existing maintainers or someone
they trust (including yourself of course)
--
James Morris
<jmorris at redhat.com>
More information about the redhat-lspp
mailing list