On Wednesday, March 13, 2013 09:36:39 AM Stephen Smalley wrote:
> netlabel vs labeled ipsec: netlabel only supports passing MLS labels
> via CIPSO, no user:role:type preservation. labeled ipsec supports
> passing the entire security context, including user:role:type.
Just one quick comment, and a word of caution, that the differences between
CIPSO and labeled IPsec are much greater than what is described above.
>From a SELinux policy perspective Stephen does touch on the main point: CIPSO
labeled traffic will look like system_u:object_r:netlabel_peer_t:{MLS-LABEL}
to SELinux regardless of the user:role:type of the sender (only the "MLS-
LABEL" information is passed over the wire) while labeled IPsec will pass the
full context over the wire. However, stepping back just the SELinux policy
there are other differences between the two protocols that need to be
considered when building a full solution.
--
paul moore
www.paul-moore.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
