Actually this is’nt YET userspace and they are trying to make it userspace. Anybody has an idea how they will do this? It can also be a good research direction.

I have read the article and here few questions and comments.

First of all my overall impression is that the research area is very nice, and contains valuable potential which we can explore at the moment.

Now coming to some specific comments/Questions.

1. I am summarizing the whole idea here: A computer say Alice wants to make a communication with another computer say Bob and wants to access a service there. The service is a web service running on an Apache. It is destined for port 80 and for IP 192.168.0.1. When the request leaves the domain of the Alice computer, it is labelled by the Alice machine with some SELinux label right? (out going labelling) Or, when the request reaches the Bob machine, the interface say eth0 labels the request with SELinux label (in-coming labelling). This kind of label helps to identify the request, and its destination. The request cannot be destined for another apache running on Bob machine right? Am I right that labelling is done on both the computers i.e. of Alice and i.e. of Bob?
2. The article has mentioned that some functionality can be achieved by IPTABLES firewall, but there is a disadvantage associated with it: the control goes out of the security server of SELinux, which is Of course not their choice right?
3. Suppose if the communication between the Alice and Bob machine is encrypted such that headers are also encrypted. How the labelling service at the interfaces like Ethernet will identify the destination domain of the packet.
4. IPSec is only for labelling network traffic? Please explain some of its terminologies to me, like SA, SPD. I have the general idea, but just for better understanding.
5. See figure 1: A Mozilla is running and making a call to Apache. Although the services are running on two separate computers, it looks like that services are running on one computer (this is the underlying idea of labelling packets with SELinux labels right). That is, try to achieve the functionality of a single computer, single domain with SELinux labels right?
6. I have tried to illustrate my understandings, now some questions on your part. You told me about distributed policy management and PMS. The question is that you want to manage the policies remotely so that Bob computer can tell the SELinux at Alice computer that which service should be labelled with what right? I mean this information have to be conveyed to Alice computer by BOB right ? is this your idea? i.e. distributed PMS?
7. Regarding development, they have already this IPSec functionality developed, how you want to go in to this direction.
8. Kindly clarify your objectives in this regard and your implementation.

Best,
MM Alam

Your last question which is the easiest: IPSec was implemented around the end of 2005. It is being tried by many ppl at this time when one goes through tht emailing list so it means little can be done alone to it. But the environment which it addresses is not distributed purely. One has to have access to both the polices i.ie both nodes to have a consistent poicy. Here comes the idea of a centralized policy. Now over here I bring Tresys’ Policy Management Server (also Policy Management Client) if u remeber that paper which I linked earlier to the blog. They have cleary brought out two ways for a distributed MAC. Completely centralized and semi centralized policy. I chose the second one and they also prefer it. Make that policy centralized which is for those applications which are distributed by nature i.e. networked applications. Our objective is to make a sound framwork and a prototype using ipsec , PMC and our meta policy for the policy. I have some idea which I will tell u later regarding managing the ifs and buts.
SA is associated with an aplication and this is how the remote node understand the context of the local node application. For a simple howto go through the IPSec help in windows.
Ur 6th question is what we have to study because all posibilities are there. That is what needs to be filled. Rest is already done.
At the moment I am practicing SELinux policies and learning the required tool because we have to hit PMS next and make alteration for our tobe framework!
IPtables has been extended due to the LSM being implemented in kernel. So selinux and iptables share the same roots thats why they can be intermingles for network.

I get too confused dealing with TC concepts and selinux and distributed thingy at the same time. I wish Amin would have been here to share some with us.

I will appreciate if someone can help me with making IMA user space if it is easy warna toh its a full research area by itself!

I get too confused dealing with TC concepts and selinux and distributed thingy at the same time. I wish Amin would have been here to share some with us.

I will appreciate if someone can help me with making IMA user space if it is easy warna toh its a full research area by itself! This is importan because linus and his band of brothers is not allowing stacking. We can have an interface for userspace security models to access the kernel in a much stacking like manner!

I just wish we had a bigger team.

shaz i think you are diverging alot… its not good bcoz it make one very much confused and worried and tense as well, as i got in near pasts Try to converge your idea’s to one point and dont try to set bigger goals, try to hav smaller ones so that you get incouraged by the time you get a smaller one… allthough its our fault specially that we are not giving you any guidence and trying to solve your problem.

i am now specifically working on the trusted computing implementation and will also be working on the apache modules as well. i will discuss my idea with you as we meet on friday inshallah.

more on friday… m in isb in a net cafe working over here

TC Ah

I think you are right sirjee because I do feel a lot of tension because I want to finish this report and have atleast one paper ready by the end of this month. This is becoming a nightmare because too many things and nobody to talk to about it leaving sharing the load aside!

I have been observing people working at ibm and tresys. They have been working on the work I want to for the past three to four years and I am aiming at it in a few month! And without any prior experiance in this field and even serious programming. And you are aware about my security concepts!

I don’t know where that point lies where I will work out something new or useful. I can sum up my thesis even with the curent material but it will brake my rythm.

Can you plz sort it out with me sometimes. I don’t try to be burden on you because you are already facing many issues and Mr. MMA is taking too many tasks on hand and then he is in no shape to discuss any ideas with. If Amin would have been well then atleast I could discuss it with him.

I read similar article also, and it was completely different. Personally, I agree with you more, because this article makes a little bit more sense for me.

found your site on del.icio.us today and really liked it.. i bookmarked it and will be back to check it out some more later ..