Re: 2001_05_09 patch against 2.4.4

From: Chris Evans (chrisat_private)
Date: Wed May 16 2001 - 14:35:04 PDT

  • Next message: Chris Wright: "Re: 2001_05_09 patch against 2.4.4"

    On Wed, 16 May 2001, Jesse Pollard wrote:
    > > /etc/very/secret open.  I'd like to be able to support tcp connect/accept
    > > and udp send/recv to/from host:port via device (howz that for non-sense? ;-)
    > Nope - very reasonable. It calls for IPSec layers on TCP, and CIPSO like
    > identification as well. The packet filter firewall rules appear to be acting
    > in the place of IPSec.
    > I would like even more integration....
    > local user (running secret on host W) attempts to connect to host X.
    > 1. capability test locally determines that user is allowed network access...
    > 2. MLS combines access request with security label (secret) and passed to
    >    IPSec.
    > 3. IPSec security association (SA) determines that encryptions of session
    >    (or packet) is mandatory - policy decision between the local facility
    >    and the remote facility containing X (and the requirements of the local
    >    security label and encryption negotiation between W and X...).
    If Linux had the capability to set up virtual encrypted network interfaces
    (cipe?), why not simply
    - label cipe0 as a device providing cryptographic transfers
    - label your sensitive files as requiring a cryptographic transfer
    => try and send over eth0 => EPERM
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Wed May 16 2001 - 14:36:29 PDT