On Tue, 2006-12-19 at 09:26 -0600, Klaus Weidner wrote: > On Tue, Dec 19, 2006 at 09:14:03AM -0600, Klaus Weidner wrote: > > [...] so it would be inappropriate to say that "SELinux" meets the > > requirements. You need to consider the developer (Red Hat) and the > > sponsor (who usually provides additional testing and documents) also. > > I didn't mean to imply that Red Hat was solely developing the software, > it's of course a community effort. It was intended as an example of what > the CC process considers to be the developer in such an evaluation, since > the CC are not designed to evaluate open source as such.
"vendor" or "distributor" might be clearer. The NSA SELinux FAQ tries to be very clear that SELinux by itself isn't suitable for evaluation, e.g. http://www.nsa.gov/selinux/info/faq.cfm#I12 http://www.nsa.gov/selinux/info/faq.cfm#I15 while referring to the ongoing work to have it incorporated into a complete system that is in evaluation (in this case, as part of Red Hat Enterprise Linux 5, as listed on the NIAP site). -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
