Firewall rules using SELinux context (Was Re: RFE: FireKit)
James Morris
jmorris at namei.org
Mon Jul 27 14:32:31 UTC 2009
On Mon, 27 Jul 2009, Daniel J Walsh wrote:
> This is all fascinating conversation. But the question still arises,
> why can't anyone use SECMARK/IPTABLES rules on a Targeted policy system.
> My opinion is that it is still too difficult.
Well, it's taken years to get all the basic technology into place
(including CIPSO and Labeled IPSec), and no work at all has gone into
usability as yet.
I envisage providing high-level abstractions in one of two ways:
a) Building network labeling into a project as a standard configurable
aspect of that (e.g. virtualized secure networking for VM to VM
communication), which is integrated into and managed by the existing
management tool, like we have with sVirt. No policy knowledge is
required, just how to use e.g. virt-manager to configure sharing via the
network.
b) Network design tools which let you visually design and manage protected
communications paths between processes on different machines, e.g. for
managing your DMZ. This would generate policy and distribute it to
systems on the network & really be something for advanced users, but
domain-specific i.e. thinking in terms of network security vs. SELinux
policy.
Note that there was never any intention for people to have to know the
low-level SELinux policy (as far as I recall). The high-level
abstractions we're building with kiosk mode, svirt, sandbox etc. are some
glimpses into where things are headed now that we have most of the base
technology in place.
- James
--
James Morris
<jmorris at namei.org>
More information about the devel
mailing list