On 03/13/2013 01:29 PM, Langland, Blake wrote:
Great, thank you guys for the clarification. Unfortunately I can't explain too much more about our specific configuration, but I think I am headed down the correct path now with the netlabel/CIPSO peer labeling. Just a general question about the CIPSO labeling: Is there anything that SELinux does to prevent an adversary from modifying the CIPSO label while on the wire? From what I can tell one would have to rely on other security measures like authentication/encryption to prevent this. I guess this may be a benefit of IPSec peer labeling since it provides authentication and encryption in addition to network labeling. The reason I ruled that out IPSec labeling is that we are using Openswan for IPSec and it is my understanding after talking with Josh Brindle that labeling is not supported in Openswan. Are there any plans to bring labeled associations to Openswan?
You can always use regular IPSEC to protect the packet (including its CIPSO label). Labeled IPSEC is only required if you want to convey the entire security context to the peer.
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
