Network Development

James Morris originally implemented an experimental labeled networking implementation called Selopt for the old LSM-based SELinux using CIPSO/FIPS188 IP options, but the necessary infrastructure to support that implementation was not merged into Linux 2.6. This implementation is still available for reference from the Historical Versions of SELinux page, as part of the old LSM-based SELinux. It has been superseded by Paul Moore's work on a new CIPSO implementation for Linux, described below.

Trent Jaeger of IBM later integrated IPSEC with SELinux so that IPSEC security associations can be used to implicitly label packets. This work has been incorporated into Linux kernel 2.6.16 and has been further enhanced since that time, with further extensions by Catherine Zhang of IBM and Venkat Yekkirala of TCS. The original work is described in:

• Trent Jaeger's Network Mandatory Access Control page
• Trent's 2005 SELinux Symposium Presentation (PDF)
• IBM Research Report (PDF)

Paul Moore of HP later implemented CIPSO support for SELinux to provide compatibility with existing trusted operating systems. Information is available from the NetLabel sourceforge site. This work is being incorporated into Linux 2.6.19, as well as back ported to 2.6.18 for RHEL5.