"Who's afraid of SELinux? Well, if you are, you shouldn't be! Thanks to the introduction of new GUI tools, customizing your system's protection by creating new policy modules is easier than ever. In this article, Dan Walsh gently walks you through the policy module creation process."
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2007-02-07
Linux is more secure than windows cuz blah blah blah lies blah blah lies blah...
Ok, maybe you are just misinformed!
http://www.commoncriteriaportal.org/public/consumer/index.php
Red Hat Enterprise Linux Version 5 running on IBM Hardware
EAL4+ (Certified: 7 June 2007)
http://www.commoncriteriaportal.org/public/files/epfiles/st_vid1012...
Microsoft Windows 2003/XP with x64 Hardware
EAL4+ (Certified: 18 September 2006)
http://www.commoncriteriaportal.org/public/files/epfiles/ST_VID1015...
(Edit: RHEL4 has the same EAL4+ certification.
+ More on levels and what they need here:
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level)
Edited 2007-08-22 03:31
Member since:2006-07-13
Except that RHEL 5 has EAL4+ for Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP), and Role-Based Access Control Protection Profile (RBAC). The documents you linked to show that Windows only has EAL4+ with CAPP. It does not have any of the other protection mechanisms which is what is really important. The only other consumer OS to meet that higher lever of certification is Trusted Solaris.
As far as Windows getting certified in September and RHEL 5 being certified in June, RHEL 5 wasn't released until March. XP Was released in 2001 and 2003 was released in 2002. 3 months vs 5 and 3 years is a big difference.
Member since:2005-12-18
"Linux is more secure than windows cuz blah blah blah lies blah blah lies blah... "
Well, technically EAL4+ is the certification for the level of assurance that the technical features are implemented correctly.
The protection profile is the actual set of security features evaluated, and as of right now the protection profiles that RHEL 5 is EAL4+ certified for are:
Controlled Access Protection Profile, Version 1.d
Labeled Security Protection Profile, Version 1.b
Role Based Access Control Protection Profile Version 1.0 (Archived)
This is roughly TCSEC B1 level security and the primary facilitator for Labeled and Role Protection is SELinux's MAC model.
Windows, while also EAL 4+, is only certified for the CAP Profile which is essentially TCSEC C2.
While NT 6 (Vista and Windows Server 2008) introduce Mandatory Integrity Control, this is not the same thing as a full MAC model (as MIC only enforces mandatory restrictions on modification of objects, not access to them). With the extension of the SACL on objects in NT 6, I wouldn't be surprised to see a full MAC model in the next release.
It's also interesting to take note of the configuration of the systems submitted for eval as those are the only components covered by the EAL. So, for example, Windows is EAL4+ certified for the CAP profile, including all its components, whereas RHEL isn't certified EAL for any profile if the configuration includes X (e.g. a graphical/workstation workload). This is where comparing the two becomes increasingly difficult, because one may be evaluated to support more workloads with certain features, while the other has more features but is limited in what workloads are covered.
These certifications and features may be great (and yes SELinux is pretty neat stuff), but it all comes down to systems/applications implementation and workloads, and in that respect, it is possible to build very secure solutions on either platform. However, for the moment, a proper SELinux implementation (e.g. RHEL) is certified for more stringent access protection profiles, though the configuration of Windows systems submitted potentially covers more workloads (but only up to the CAP profile).
Member since:2007-08-22
maybe you are just misinformed!
No, not misinformed - just misquoted the version. I did try to track down the specific article that I read about it - but couldn't find it. However, the info has been correctly stated by the others responding to you.
Regardless, Linux has been certified at a higher level than Windows as a result.
Member since:
2007-08-22
That doesn't really wash with me. This seemingly endless blabber that all things Linux are more secure than all things Microsoft has been shown to be wrong time and time again. That doesn't mean the reverse is true either.
Well, how about the fact that Linux has achieved the highest security certification level available to commercial OS's - a level only achieved by Sun's Trusted Solaris (at least as popular OS's are concerned). (I believe it's RHEL4 that made it.)
That's more than Microsoft can say, and it was possible because of the NSA's contribution of the SELinux code to the Linux Kernel.
It's also not something that's merely pro-Linux.