Walsh: Introducing the SELinux Sandbox

Brad, I want to repeat, so that it's clear, that I agree with your position of not letting the largest (or any) vendor selling Linux get away with making outrageous claims; however, I need to make sure a balanced view comes out.. and I want to look a little closer at your "evidence".

Well, to add balance, I want to again state that no vendor should step up to the plate if they won't at a minimum open up their blueprints. Red Hat may talk however they want, but I believe they are putting all their cards on the table for the customer and the world to verify as much as they want. This is in stark contrast to the many vendors that try to hide exclusively behind pulling off a certification (all tests can be beaten) or worse.

[You quoting] >> Given the above mentioned remote root exploit, using SELinux for such a purpose is both frightening and irresponsible. I'm not exaggerating at all here; here's an entire paragraph straight out of the article:

[You quoting] >> "Some organizations go as far as to purchase dedicated systems for each security level. This is often prohibitively expensive, however. A mechanism is required to enable users at different security levels to access systems simultaneously, without fear of information contamination."

That paragraph concludes, "A mechanism is required to enable users at different security levels to access systems simultaneously, without fear of information contamination."

It does not conclude that SELinux version anything.anything on arbitray hardware is nirvana. That paragraph makes no allegations about a product, or for that matter about any model.

In fact, that webpage ends with the following [note the tone and subject]:

>> Efforts are being made to have Linux certified as an MLS operating system. The certification is equivalent to the old B1 rating, which has been reworked into the Labeled Security Protection Profile under the Common Criteria scheme.

I don't think Red Hat is claiming Linux is the Second Coming as it almost appears you allege they are doing.

[You said] >> A reasonable view like that is what's needed in Red Hat's article above. Instead of offering software as a replacement for air-gap and suggesting there's "no fear of information contamination"....

Yeah, unless you point to more "evidence", I am thinking that you misunderstood or misjudged that webpage.

I didn't see Red Hat claiming their product was perfect. The article even refers over and over to models, implicitly by using general terms, and explicitly by actually using the word "model" as it compares.

The entire discussion is very general in details. It is nothing remotely like a proof. It does not at all address the issue of imperfections in implementation or make any claims in this respect.

I already mentioned the certification effort underway (according to the webpage). I do very much doubt ANY certification authority will ever carry out an infallible proof or exhaustive testing, or could be trusted to do so without independent verification.

To conclude, I think you are overestimating the claims that Red Hat is presumably making. It's clear from the type of discussion that they are not offering any claims for an actual product. What they offer is a high level description of the model upon which their product is based. They offer the source code so the customer and the world has an opportunity to separate hype from reality. They possibly offer a certification. It's notable to mention that few vendors offer the entire buildable source code so that others can check up on the glossy hype. Unfortunately, I wish the open source community was advanced enough to be offering the source code to hardware.