Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

From: Andi Kleen
Date: Sun Sep 30 2007 - 13:40:20 EST

> CIPSO is supported on SELinux as well.

That's no reason to extend that design mistake.

> It certainly has uses where IPSec
> is excessive. One example is someone I talked to recently that basically
> has a set of blade systems connected with a high speed backplane that
> looks like a network interface. CIPSO is useful in this case because
> they can't afford the overhead of IPSec but need to transfer the level
> of the connection to the other machines. The backplane is a trusted
> network and that isn't a dangerous assumption in this case.

If one of the boxes gets broken in all are compromised this way?

> CIPSO also lets systems like SELinux and SMACK talk to other trusted
> systems (eg., trusted solaris) in a way they understand.

Perhaps, but is the result secure? I have severe doubts.

> I don't
> regularly support CIPSO as I believe IPSec labeling is more useful in
> more situations but that doesn't mean CIPSO is never useful.

Security that isn't secure is not really useful. You might as well not


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at