Full SELinux Labels Over Loopback with NetLabel and CIPSO

[paulmoore]

Perhaps one of the largest shortcomings of the CIPSO network labeling protocol when used with SELinux is the fact that it can only convey the SELinux MLS attributes across the network.  There are plenty of good reasons for this: strict conformance with protocol specification, limited space in the IPv4 header, interoperability with non-SELinux

Comments

[anonymous]

If I want to send complete SELinux security context (including MLS level) over network (and not over the loopback network interface) then can you suggest any suitable way for this?

[paulmoore]

At present the only way to send the entire SELinux security context over the network is with labeled IPsec. A word of caution about labeled IPsec, it only works with other Linux/SELinux systems and those systems should be using the same type/version of the SELinux policy to avoid any problems with the SELinux context's having different meanings on the two systems.

[anonymous]

Does labeled IPSec works with InfiniBand and/or IP over InfiniBand?
If not then is there any way to send the entire SELinux security context over the InfiniBand or IP over InfiniBand network?

[paulmoore]

Labeled IPsec is like traditional IPsec in that it runs on top of IPv4 or IPv6. While I've personally never tested labeled IPsec running on non-Ethernet based networks, as long as IP is supported properly I see no reason why labeled IPsec would not work over IP/InfiniBand.