> CIPSO is supported on SELinux as well.
That's no reason to extend that design mistake.
> It certainly has uses where IPSec
> is excessive. One example is someone I talked to recently that basically
> has a set of blade systems connected with a high speed backplane that
> looks like a network interface. CIPSO is useful in this case because
> they can't afford the overhead of IPSec but need to transfer the level
> of the connection to the other machines. The backplane is a trusted
> network and that isn't a dangerous assumption in this case.
If one of the boxes gets broken in all are compromised this way?
> CIPSO also lets systems like SELinux and SMACK talk to other trusted
> systems (eg., trusted solaris) in a way they understand.
Perhaps, but is the result secure? I have severe doubts.
> I don't
> regularly support CIPSO as I believe IPSec labeling is more useful in
> more situations but that doesn't mean CIPSO is never useful.
Security that isn't secure is not really useful. You might as well not
bother.
-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]