2007 SELinux Symposium Abstracts
The Design and Implementation of a Guard Installation and Administration Framework
Boyd Fletcher and Christopher Roberts, United States Joint Forces Command J9
The Guard Installation and Administration Framework is a set of applications and processes
to reduce the develop- ment costs for building installation and maintenance subsystems
for SE Linux based cross domain guarding solu- tions. This paper discusses the issues with
the development a SE Linux based guards and our solutions to them.
FCGlob: A new SELinux file context syntax
Donald Miner, UMBC
James Athey, Tresys Technology
A new syntax designed to replace the usage of regular expressions
in SELinux\'s file contexts is proposed, named FCGlob. There are several
major problems with using regular expressions for file contexts, such as an
approximated sorting, ambiguous declarations, common user er rors, obfuscation
due to cleverness and the difficulty in finding set relationships. FCGlob is
designed to address all of these problems by using a simpler syntax that is more
tailored to matching UNIX file paths. The new syntax encourages clear
and simple patterns, discourages cleverness and laziness and makes it easy
for a computer to analyze. In addition to fixing several problems, FCGlob also
opens the door to several enhancements. The basis for most enhancements
is the use of a tree data structure as apposed to a linear list that that
is used in the current implementation of file contexts. Several benefits result
from the usage of a tree structure, such as a faster matchpathcon and
the possibility for many new features. Implementing the FCGlob prototype
can be done without making any changes to libselinux by converting
all the FCGlobs into regular expressions and ordering them in a
linear list. This way not too much work has to be done to
demonstrate the advantages of FCGlob. If the prototype is successful
and accepted it can then be integrated into libselinux as a complete replacement.
Setroubleshoot: A User Friendly Tool to Diagnose AVC Denials
John Dennis, Red Hat
Practical experience with the deployment of SELinux has shown it is often
disabled in the field negating its promise. Anecdotal evidence suggests
software developers and end users consider it difficult to use, comprehend,
and the root cause of mysterious failures. Perceived as productivity barrier
the expedient solution is to disable it. A new tool has been developed which
exposes AVC denials in real time and interacts with a user presenting information
in a friendly manner explaining the current denial and suggesting possible
solutions. Replacing the hidden, often obscure failures in software which
only occur when SELinux is enabled with friendly notification of SELinux\'s
actions will improve the use experience fostering adoption.
Integrating SELinux with Securiy-typed Languages
Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDaniel, Pennsylvania State University
Recent advances in the area of security-typed languages have enabled
the development of realistic applications aware of information flow
security. Traditionally, operat- ing systems have enforced MAC with
minimal dependence on application programs. Although these approaches
have common goals, they have progressed independently. How- ever, there
are many cases where systems depend on user- level programs to enforce
information flows, so integration of information flow enforcement
between the operating sys- tems and security-typed applications would be
beneficial. In this paper, we examine what it takes to integrate information
flow enforcement of a security-typed extension of Java with SELinux. We
find that SELinux has most of the necessary features to build a proof-of-concept
system, but other ser- vices are necessary, such as verifying compliance
between information flow policies. Ultimately, we are optimistic that the
comprehensive access control enforcement of SELinux will be ideal for
integration with these security-typed applications.
Integrating X.Org with Security-Enhanced Linux
Eamon Walsh, National Security Agency
The proposed paper will outline the progress that has been made on
adding Security-Enhanced Linux policy support to the X Window System, a
major component of the Linux desktop. The work consists of two
modifications to the X.Org X server implementation, as well as supporting
infrastructure in libselinux. The first modification is the replacement
of the existing X server Security extension with a more general framework
of hook functions and security state, similar to the Linux Security Module.
The second modification is a new X server extension which provides trusted
path input and window labeling, and acts as an SELinux object manager, extending
the enforcement of a kernel-based security policy to the X server in userspace.
Using GConf as an Example of How to Create an Userspace Object Manager
James Carter, National Security Agency
It has become apparent that many people want some of the benefits of MLS
but in a way that is easier to use than the full MLS implementation.
There are various strategies that can be used to provide security controls
over an application under SELinux. One strategy is to turn the program into
a userspace object manager. Since the SELinux kernel object managers cannot
control objects that are only visible in userspace, creating userspace object
managers is a natural part of implementing the flask architecture on Linux.
GConf is a configuration system for GNOME and controls configuration keys and
values which are not visible to the kernel. This paper discusses the general
process of providing SELinux controls over a program and the specific steps
taken to provide SELinux controls over GConf.
Porting Legacy Multilevel Secure Applications to Security Enhanced Linux
Andy Suchoski and Rick Supplee, Hewlett Packard Company
This paper reflects a work in progress and will discuss issues in migrating
applications from legacy Multilevel Secure (MLS) systems to Security Enhanced
Linux (SELinux). Initially, security architectural similarities and differences
will be discussed. This will provide a basis for discussing the actual migration
of code from Trusted Solaris to SELinux. Although the examples in the paper are
simple, they illustrate basic principles that will be used in porting code and
performing policy work in moving applications from Trusted Solaris to SELinux.
The areas covered are not exhaustive but do discuss how the main security
features of sensitivity labels, process privileges, roles, and authorizations
in Trusted Solaris map to SELinux. Additionally, areas where functionality does
not currently exist in SELinux will be noted. Finally, conclusions will be
offered and direction for further work.
Using the Flask Security Architecture to Facilitate Risk Adaptable Access Controls
Machon Gregory and Peter Loscocco, National Security Agency
Risk Adaptable Access Control is an important emerging technology tha
t has gained the attention of many people as a way to change the current
information dissemination policies. Systems implementing Risk Adaptable Access
Controls have the ability to enforce a flexible mandatory access control policy
based on various changing factors, such as situational and environmental factors.
Unfortunately, commonly deployed systems are unable to the reliably support this
type of access control, but by using existing technology the desired capable could
be built. Applications of the Flask Security Architecture is such use of existing
technology. This paper describes Risk Adaptable Access Controls and how the Flask
Security Architecture can be used to provide the desired functionality. It
describes how this was done in the creation of a prototype RAdAC system.
Security-Enhanced Darwin: Porting SELinux to Mac OS X
Christopher Vance, Todd Miller, and Rob Dekelbaum, SPARTA, Inc.
Security-Enhanced Darwin (SEDarwin) is a port of access control elements
derived from NSA\'s Security Enhanced Linux (SELinux) to Darwin, the Open
Source core of Apple\'s Mac OS X operating system. Apple\'s Mac OS X operating
system combines both Open Source and proprietary technologies into a widely-used,
production-quality UNIX-based workstation. Because Darwin is available under an
Open Source license, it is possible to add mandatory access controls while still
maintaining compatibility with the large base of user space applications, proprietary
graphical components, and programming frameworks. While it was straightforward
to port many of the SELinux components, Darwin\'s unique architecture meant
significant new engineering was necessary in order to provide SELinux-style
access controls consistently across the entire system. This paper will describe
the component technologies in Darwin, the areas of significant new development,
and provide comparisons to SELinux.
Madison: A New Approach to Automated Policy Generation
Karl MacMillan, Red Hat
This paper introduces a new library and associated tools, called
Madison, for automatic policy generation. Madison includes features
that address all aspects of fully automated and user guided policy
generation, but has a particular focus on the generation of policy
statements similar in form to hand-written reference policy modules.
This focus allows Madison to compliment the existing tools that
perform automatic policy generation. The policy modules generated
by Madison use reference policy interface calls and allow rules in
accordance with the encapsulation rules of the reference policy.
Producing these interface calls requires infrastructure to parse
reference policy headers, analysis routines to determine the access
allowed by each interface, and a novel approach to optimizing the
set of interface calls for a module that is computationally tractable.
Enforcing flexible access control in a networked policy domain
Joshua Brindle, Karen Vance, and Chad Sellers, Tresys Technology
Significant progress toward general acceptance of applying mandatory access
control to systems has been made recently. Security Enhanced Linux (SELinux),
in particular, has been enabled by default in some Linux distributions for
several years. However, current SELinux deployments only effectively control
a single system. Inter-system and remote resource access control capabilities
are starting to appear in SELinux, but extending policy management
capabilities to cover these networked systems remains an open problem.
This paper discusses issues that must be addressed to support security
policies distributed across a network, including policy development changes
needed to be able to express a coherent security policy for a network of
systems, managing the distribution of a multi-system policy, and synchronizing
policy updates, and presents a distributed policy management architecture.
Securing Inter-process Communications in SELinux
Spencer Shimko and Joshua Brindle, Tresys Technology
In the modern computing world, a secure system is best implemented with
mandatory access control (MAC) mecha-nisms. One aspect of secure system
design is the careful definition of information flows between processes - inter-process
communications (IPC). System designers, when weighing the security risks
and functionality of different types of IPC, have had to rely on intuition
and experience because of the lack of documentation regarding the secu-rity
properties of the IPC mechanisms. This paper explores the security
functionality that the underlying operating system must support to
facilitate secure communication between processes in a Linux operating
system. Security Enhanced Linux (SELinux) provides the MAC mechanisms
used to support and ensure secure communication be-tween processes, as
is illustrated through the example secure IPC mechanism presented in
this paper. This example is achieved through a combination of SELinux
policy and traditional Linux IPC mechanisms, and presents the best
combination of security and throughput available in SELinux.
Towards Intuitive Tools for Managing SELinux: Hiding the Details but Retaining the Power
James Athey, Christopher Ashworth, Frank Mayer, and Don Miner, Tresys Technology
The details of the SELinux access control mechanisms lead to the perception
that SELinux is too complex for non-expert users to manage. We present
techniques that bridge the gap between the comprehensive, low-level
SELinux access controls and the intuitive, high-level abstractions familiar
to system administrators. These techniques shield the user from SELinux
implementation details without sacrificing the power and flexibility of
the SELinux policy language.
Extending Linux for Multi-Level Security
Klaus Weidner, atsec, George Wilson, IBM, and Loulwa Salem, IBM
Linux distributions have received numerous Common Criteria certifications in the last few years. Building on the recent Controlled Access Protection Profile (CAPP) certifications, an open source development effort to make Linux compliant with the Labeled Security Protection Profile (LSPP) and Role-Based Access Control Protection Profile (RBACPP) has been ongoing for almost 2 years. Development included adding and augmenting features of SELinux and other Linux components. This paper explores the evolution of and rationale behind the features developed to meet LSPP and RBACPP, and discusses the current state of development and lessons learned.
SELinux Case Studies
Case studies are an opportunity to present information about the use and application of SELinux and present lessons-learned, success, and areas of growth for SELinux. Information about deployed, production systems are of particular interest. These presentations will be brief (15 - 20 minutes) and no formal paper is required. Interested parties can submit case studies to email@example.com. Please include a title, brief description of the case study, and contact information for the presenter. Presenters will be notified of the acceptance by email and the final schedule will be placed on the website and posted at the conference.