lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200709301939.57542.ak@suse.de>
Date:	Sun, 30 Sep 2007 19:39:57 +0200
From:	Andi Kleen <ak@...e.de>
To:	Joshua Brindle <method@...icmethod.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>, casey@...aufler-ca.com,
	torvalds@...ux-foundation.org,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, James Morris <jmorris@...ei.org>,
	Paul Moore <paul.moore@...com>
Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel


> CIPSO is supported on SELinux as well.

That's no reason to extend that design mistake.

> It certainly has uses where IPSec  
> is excessive. One example is someone I talked to recently that basically 
> has a set of blade systems connected with a high speed backplane that 
> looks like a network interface. CIPSO is useful in this case because 
> they can't afford the overhead of IPSec but need to transfer the level 
> of the connection to the other machines. The backplane is a trusted 
> network and that isn't a dangerous assumption in this case.

If one of the boxes gets broken in all are compromised this way? 

> CIPSO also lets systems like SELinux and SMACK talk to other trusted 
> systems (eg., trusted solaris) in a way they understand. 

Perhaps, but is the result secure? I have severe doubts.

> I don't  
> regularly support CIPSO as I believe IPSec labeling is more useful in 
> more situations but that doesn't mean CIPSO is never useful.

Security that isn't secure is not really useful. You might as well not
bother.

-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ