On Mon, Jul 27, 2020 at 4:36 PM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > The thing, i think, is that netlabel is limited and really geared > towards MLS, it will only send levels over the wire i believe (except for loopback) > > By AFAIK the point of netlabel is to be able enforce mult-level security > on secure networks. For example you could have a ssh server running on a > particular level. In other words netlabel AFAIK should be able to send a > process/peer level over the network AFAIK. The original motivation behind NetLabel was to provide an interoperable labeled networking mechanism that would allow SELinux to talk to (at the time) existing trusted UNIX systems such as Trusted Solaris. The NetLabel framework abstraction was created both to be able to support multiple different labeling protocols (CIPSO, CALIPSO, fallback/static) as well as to support multiple LSMs (SELinux, Smack). Beyond this, we start getting into a bit of a rathole of comparing network labeling designs and implementations which gets very ugly, very quickly. -- paul moore www.paul-moore.com
