SELinux Symposium



Symposium Committees

Previous Meetings
2007 Symposium
2006 Symposium
2005 Symposium
2004 Meeting


Sponsorship opportunities

Contact Us


2006 SELinux Symposium Case Studies

Open Source and Commercial Applications in a Java-based SELinux Cross Domain Solution

Boyd Fletcher, Joint Forces Command - Joint Experimentation Directorate

Cross Domain Solutions (CDS) provide the essential boundary between networks of different security classifications and play a critical role in national and international security. Traditionally CDS development has been bottom-up with all efforts being reproduced for each product. This bottom-up effort requires developers to recreate the applications, filters, and security architecture for each product. However, bottom-up CDS development has been a complex, lengthy, and thus expensive endeavor. We recently addressed these concerns with a development effort which was tasked with the creation of suite of CDS systems.

CDS development efforts have focused on producing a full suite of filters and applications in addition to developing a security architecture from the bottom-up. During the development of the Cross Domain Collaborative Information Environment (CDCIE) we found that by using SELinux to create a security architecture and through careful combination of commercial applications, open source applications, and filters developed in Java we have been able to produce a secure CDS without the traditional bottom-up effort. The CDCIE team has also found several distinct advantages to using this technique in addition to the reduction in the complexity and length of development thereby reducing the overall costs.

Developing the CDCIE Suite in a mixed environment was not without its own set of difficulties. Commercial applications could not be easily modified to adhere to the security constraints of the system architecture. Policy had to be developed around the commercial applications; security architecture should drive application development, not vice-versa. We will discuss how SELinux can be used to eliminate extraneous access even in closed source applications. Open source applications had to be modified to support the protocols and specifications developed. Fortunately they could also be modified to fix bugs exposed via SELinux. Standard Java IPC mechanisms did not provide the granular access controls required for the CDS environment. We have also begun work on the next task by modifying an existing system library wrapper called JTUX (Java To UniX) so we could further confine information flow between Java filters with SELinux policy. We will discuss the success we had in overcoming these difficulties but will also address the lessons learned during the process and thoughts we have for the future.

Enhancing IBM Websphere with SELinux

Marc Hocking, UK Cabinet Office, e-Government Unit, UK, Karl MacMillan, Tresys Technology, USA, and Doc Shankar, IBM, USA

This case study will present our work on creating a prototype IBM Websphere solution enhanced with SELinux for use in a UK e-Government pilot program. We will present the security requirements of the UK Government for enterprise application servers and the technical details of how the prototype application meets those needs. Included will be a discussion of the underlying technology that creates a configurable and deployable SELinux security enhancement for IBM Websphere and other enterprise applications. In particular, we will present our novel approach and infrastructure for customizing policies at deployment time based on application and user settings. This allows us to enforce fine-grained network access controls across a distributed enterprise application without forcing the application server administrators to understand or edit SELinux policy.

©Copyright 2005-2006 SELinux Symposium, LLC
Privacy Statement