[redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes

Ted txtoth at gmail.com
Thu Jun 22 21:12:52 UTC 2006 

On Thu, 2006-06-22 at 13:59 -0600, Eric W. Biederman wrote:
> "Serge E. Hallyn" <serue at us.ibm.com> writes:
> 
> > Quoting Paul Moore (paul.moore at hp.com):
> >> 
> >> If I am understanding you correctly this just sounds like adding IP
> >> aliases to an interface, or just simply adding a new NIC, and assigning
> >> each address to a network namespace.  While it's easy to do and even
> >> easier to secure I don't think it addresses the problem we are trying to
> >> solve - port polyinstantiation - where you can have multiple
> >> applications bound to the same IP/protocol/port with the only difference
> >> being the application's security label.
> >
> > I'm really not the expert here, but nevertheless according to what I've
> > heard from at least the PlanetLab guys, we may not need to use nat -
> > having multiple containers with the same IP address may be possible.
> 
> So no.  No nat needed.
> 
> All you have to do is setup a network namespace as a router that routes
> packets by security label to different network namespaces.
> 
>     OUTSIDE WORLD
>         |
>         v
> 
>       ROUTER -> SECURITY SPACE 1
>         |  \
>         |   v 
>         |   SECURITY SPACE 2
>         v
>      SECUIRITY SPACE 3
>            
> 
> The destination network namespaces are effectively different network
> stacks so they can be configured however you want.
> 
> So a network namespace should be able to solve a port polyinstantiation
> problem.  Allowing you to bind multiple applications to INADDR_ANY
> with the same protocol and port on the same machine. 
> 
> I have a hard time arguing for this case because I can't think of 
> a good reason to implement port polyinstantiation. 

We demo'd a system last year on TSOL where we created polyinstantiated
directories and installed Apache Tomcat, Liferay (portal) and MySQL.
MySQL was used to hold the portal configuration. On the portal we had a
portlet that queried at level a database hosted on a HP-UX CMW using a
web service. We browsed to these portal instances at level using the
TSOL Session Server. All of the web servers accepted connections on the
same port and internally all of the MySQL instances communicated with
the portal code via the same port but they were all running at different
levels. We'd very much like to be able to do something similar on
SELinux at least until the tools catch.

> 
> Eric

More information about the redhat-lspp mailing list