On Mon, 2007-10-22 at 12:05 -0400, Huntress Gary B NPRI wrote: > Hi Everyone, > > I have some, but not a lot, of experience with SELinux. I've recently > learned about the MLS aspect and this interests me a lot. I manage a > number of small projects that have both an unclassified and a > classified component. As I understand the capabilities of MLS, in > theory I could merge these functions onto a single hardware platform > at a significant total cost savings. I could also, in theory, > implement my own "assurance guard" at a potential savings of over > $50K. > > There is a lot for me to learn and a lot of the issues are not > technical but administrative. That is, it's not what I "can" do, it's > what I "may" do. I'd like to hear from anyone in the DoD that has > successfully implemented an approved/accredited MLS workstation, > particularly if it is on a network. Right now I cannot see how I > could ever convince my IA folks to let me run a system with a NIPRNET > eth0 and a SIPRNET eth1. I doubt you could convince them, either. According to wikipedia, "NIPRNet is, by design, a parallel airgapped analogue to the SIPRNET" [1]. Furthermore, RHEL5 has been evaluated against the LSPP which assumes [2] that any peers "are assumed to be under the same management control and operate under the same security policy constraints" as the TOE. Meanwhile, CLIP [3] is only shooting for PL4. Good luck, and please send along any success stories. rob. [1] http://en.wikipedia.org/wiki/NIPRNET [2] LSPP 3.3.4 A.PEER [3] http://oss.tresys.com/projects/clip -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
