[redhat-lspp] Re: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use in MLS environments
Stephen Smalley
sds at tycho.nsa.gov
Thu Jun 15 16:29:31 UTC 2006
On Tue, 2006-06-13 at 17:09 -0500, Venkat Yekkirala wrote:
> The current approach to labeling Security Associations for SELinux purposes
> uses a one-to-one mapping between xfrm policy rules and security associations.
> This doesn’t address the needs of real world MLS (Multi-level System, traditional
> Bell-LaPadula) environments where a single xfrm policy rule (pertaining to a range,
> classified to secret for example) might need to map to multiple Security Associations
> (one each for classified, secret, top secret and all the compartments applicable to
> these security levels).
What if we want to share a single IPSEC SA for a range, and use e.g.
CIPSO/NetLabel to individually label traffic with individual levels
within that range? Does this patch set prevent such sharing of SAs? Or
is it just a matter of how we configure the policy rules for polmatch?
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list