[Security_sig] Reply about draft Army guide

Stephen Smalley sds at epoch.ncsc.mil
Tue Feb 15 09:20:10 PST 2005

On Tue, 2005-02-15 at 12:15, Andy Murren wrote:
> 2.  There are several ways to implement MAC.  At the time I started
>     this document SELinux was not allowed.  Other tools to implement
>     MAC include grsecurity (http://www.grsecurity.net/) which is
>     available from the grsecurity site and is one of the Gentoo
>     Hardened projects.  (We may want to review this as an alternative
>     to SELinux).  I cannot state one way or another what the Army is
>     doing about MAC for Linux systems or its position on SELinux.

- SELinux is also included in Hardened Gentoo.
- SELinux is included in RHEL4, which was officially released today by
Red Hat.  
- grsecurity does not implement MAC per any definition of MAC that would
pass evaluation.  It does not support information flow control.
- Many other so-called MAC implementations for Linux are likewise
unsuited for controlling the flow of information throughout the system
and can not support DoD needs.

Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency

More information about the security_sig mailing list