On Sun, 20 Jun 2004 06:52, Lawrence Bowie <thesource@xxxxxxxxxxx> wrote: > At this point SELinux does not have official "Orange Book" > classification, right? Classification applies to complete OS installations. SE Linux is not an OS, it is a security enhancement for Linux, and therefore it is not eligible for certification on it's own. It is expected that Linux distributions incorporating SE Linux technology will do well in certification tests. AFAIK no-one has done such tests yet, and Red Hat Enterprise Linux 4 when it's released next year is likely to be the first Linux distribution to go through the certification process with SE Linux enabled. Also I believe that classifications such as "C2" and "B1" are obsolete and have been for years. http://csrc.nist.gov/cc/ http://www.commoncriteriaportal.org/public/developer/index.php?menu=1 Above is a link to information on the Common Criteria (replacement for the "Orange Book"). Computer systems are evaluated against a "Protection Profile" (PP). Conformance to that PP is evaluated according to an "Evaluation Assurance Level" (EAL) which is a numerical rating that indicates how well you achieved the goals of the PP. A higher EAL number does not necessarily mean a more secure system, a lower EAL number for a different PP may be more difficult to achieve. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
