Firewall rules using SELinux context (Was Re: RFE: FireKit)

James Morris jmorris at namei.org
Mon Jul 27 14:32:31 UTC 2009


On Mon, 27 Jul 2009, Daniel J Walsh wrote:

> This is all fascinating conversation.  But the question still arises, 
> why can't anyone use SECMARK/IPTABLES rules on a Targeted policy system.  
> My opinion is that it is still too difficult.

Well, it's taken years to get all the basic technology into place 
(including CIPSO and Labeled IPSec), and no work at all has gone into 
usability as yet.

I envisage providing high-level abstractions in one of two ways:

a) Building network labeling into a project as a standard configurable 
aspect of that (e.g. virtualized secure networking for VM to VM 
communication), which is integrated into and managed by the existing 
management tool, like we have with sVirt.  No policy knowledge is 
required, just how to use e.g. virt-manager to configure sharing via the 
network.

b) Network design tools which let you visually design and manage protected 
communications paths between processes on different machines, e.g. for 
managing your DMZ.  This would generate policy and distribute it to 
systems on the network & really be something for advanced users, but 
domain-specific i.e. thinking in terms of network security vs. SELinux 
policy.

Note that there was never any intention for people to have to know the 
low-level SELinux policy (as far as I recall).  The high-level 
abstractions we're building with kiosk mode, svirt, sandbox etc. are some 
glimpses into where things are headed now that we have most of the base 
technology in place.



- James
-- 
James Morris
<jmorris at namei.org>




More information about the devel mailing list