Article on SELinux Networking

Josh Brindle has written an in-depth article, Secure Networking with SELinux, which covers some of the different network security mechanisms in SELinux. Of particular value is its discssion of labeled IPSec, which is currently not well documented. Josh includes some worked examples of use with explanations, and discussion of potential uses:

For example, one possible application of this technology is to have an ‘internal’ and ‘external’ browser on employee workstations. The internal browser would run in a domain that is allowed to access internal company web application servers that contain confidential customer information while the external browser can access the internet. This reduces the risk that rogue internet content can compromise your internal data. This kind of separation would be much more difficult (or impossible) without SELinux’ advanced networking controls.

Linux now has some very powerful and expressive network security capabilities; perhaps unmatched anywhere. Better usability is an important next step with this, and I suspect from comments in the article that Josh may have more for us on this soon.