[redhat-lspp] Re: [RFC 3/7] NetLabel: CIPSOv4 engine
David Miller
davem at davemloft.net
Thu Jun 22 09:12:23 UTC 2006
From: paul.moore at hp.com
Date: Wed, 21 Jun 2006 15:42:38 -0400
> Add support for the Commercial IP Security Option (CIPSO) to the
> IPv4 network stack. CIPSO has become a de-facto standard for
> trusted/labeled networking amongst existing Trusted Operating
> Systems such as Trusted Solaris, HP-UX CMW, etc. This
> implementation is designed to be used with the NetLabel subsystem to
> provide explicit packet labeling to LSM developers.
The thing that concerns me most about CIPSO is that even once users
migrate to a more SELINUX native approach from this CIPSO stuff, the
CIPSO code, it's bloat, and it's maintainence burdon will remain.
It's easy to put stuff it, it's impossible to take stuff out even
once it's largely unused by even it's original target audience.
And that's what I see happening here.
This is why, to be perfectly honest with you, I'd much rather
something like this stay out-of-tree and people are strongly
encouraged to use the more native stuff under Linux.
More information about the redhat-lspp
mailing list