On Wed, 16 May 2001, Jesse Pollard wrote: > > /etc/very/secret open. I'd like to be able to support tcp connect/accept > > and udp send/recv to/from host:port via device (howz that for non-sense? ;-) > > Nope - very reasonable. It calls for IPSec layers on TCP, and CIPSO like > identification as well. The packet filter firewall rules appear to be acting > in the place of IPSec. > > I would like even more integration.... > > local user (running secret on host W) attempts to connect to host X. > > 1. capability test locally determines that user is allowed network access... > > 2. MLS combines access request with security label (secret) and passed to > IPSec. > > 3. IPSec security association (SA) determines that encryptions of session > (or packet) is mandatory - policy decision between the local facility > and the remote facility containing X (and the requirements of the local > security label and encryption negotiation between W and X...). If Linux had the capability to set up virtual encrypted network interfaces (cipe?), why not simply - label cipe0 as a device providing cryptographic transfers - label your sensitive files as requiring a cryptographic transfer => try and send over eth0 => EPERM Cheers Chris _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 14:36:29 PDT