2007 SELinux Symposium Abstracts

The Design and Implementation of a Guard Installation and Administration Framework

Boyd Fletcher and Christopher Roberts, United States Joint Forces Command J9

The Guard Installation and Administration Framework is a set of applications and processes to reduce the develop- ment costs for building installation and maintenance subsystems for SE Linux based cross domain guarding solu- tions. This paper discusses the issues with the development a SE Linux based guards and our solutions to them.

FCGlob: A new SELinux file context syntax

Donald Miner, UMBC

James Athey, Tresys Technology

A new syntax designed to replace the usage of regular expressions in SELinux\'s file contexts is proposed, named FCGlob. There are several major problems with using regular expressions for file contexts, such as an approximated sorting, ambiguous declarations, common user er rors, obfuscation due to cleverness and the difficulty in finding set relationships. FCGlob is designed to address all of these problems by using a simpler syntax that is more tailored to matching UNIX file paths. The new syntax encourages clear and simple patterns, discourages cleverness and laziness and makes it easy for a computer to analyze. In addition to fixing several problems, FCGlob also opens the door to several enhancements. The basis for most enhancements is the use of a tree data structure as apposed to a linear list that that is used in the current implementation of file contexts. Several benefits result from the usage of a tree structure, such as a faster matchpathcon and the possibility for many new features. Implementing the FCGlob prototype can be done without making any changes to libselinux by converting all the FCGlobs into regular expressions and ordering them in a linear list. This way not too much work has to be done to demonstrate the advantages of FCGlob. If the prototype is successful and accepted it can then be integrated into libselinux as a complete replacement.

Setroubleshoot: A User Friendly Tool to Diagnose AVC Denials

John Dennis, Red Hat

Practical experience with the deployment of SELinux has shown it is often disabled in the field negating its promise. Anecdotal evidence suggests software developers and end users consider it difficult to use, comprehend, and the root cause of mysterious failures. Perceived as productivity barrier the expedient solution is to disable it. A new tool has been developed which exposes AVC denials in real time and interacts with a user presenting information in a friendly manner explaining the current denial and suggesting possible solutions. Replacing the hidden, often obscure failures in software which only occur when SELinux is enabled with friendly notification of SELinux\'s actions will improve the use experience fostering adoption.

Integrating SELinux with Securiy-typed Languages

Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDaniel, Pennsylvania State University

Recent advances in the area of security-typed languages have enabled the development of realistic applications aware of information flow security. Traditionally, operat- ing systems have enforced MAC with minimal dependence on application programs. Although these approaches have common goals, they have progressed independently. How- ever, there are many cases where systems depend on user- level programs to enforce information flows, so integration of information flow enforcement between the operating sys- tems and security-typed applications would be beneficial. In this paper, we examine what it takes to integrate information flow enforcement of a security-typed extension of Java with SELinux. We find that SELinux has most of the necessary features to build a proof-of-concept system, but other ser- vices are necessary, such as verifying compliance between information flow policies. Ultimately, we are optimistic that the comprehensive access control enforcement of SELinux will be ideal for integration with these security-typed applications.

Integrating X.Org with Security-Enhanced Linux

Eamon Walsh, National Security Agency

The proposed paper will outline the progress that has been made on adding Security-Enhanced Linux policy support to the X Window System, a major component of the Linux desktop. The work consists of two modifications to the X.Org X server implementation, as well as supporting infrastructure in libselinux. The first modification is the replacement of the existing X server Security extension with a more general framework of hook functions and security state, similar to the Linux Security Module. The second modification is a new X server extension which provides trusted path input and window labeling, and acts as an SELinux object manager, extending the enforcement of a kernel-based security policy to the X server in userspace.

Using GConf as an Example of How to Create an Userspace Object Manager

James Carter, National Security Agency

It has become apparent that many people want some of the benefits of MLS but in a way that is easier to use than the full MLS implementation.

There are various strategies that can be used to provide security controls over an application under SELinux. One strategy is to turn the program into a userspace object manager. Since the SELinux kernel object managers cannot control objects that are only visible in userspace, creating userspace object managers is a natural part of implementing the flask architecture on Linux. GConf is a configuration system for GNOME and controls configuration keys and values which are not visible to the kernel. This paper discusses the general process of providing SELinux controls over a program and the specific steps taken to provide SELinux controls over GConf.

Porting Legacy Multilevel Secure Applications to Security Enhanced Linux

Andy Suchoski and Rick Supplee, Hewlett Packard Company

This paper reflects a work in progress and will discuss issues in migrating applications from legacy Multilevel Secure (MLS) systems to Security Enhanced Linux (SELinux). Initially, security architectural similarities and differences will be discussed. This will provide a basis for discussing the actual migration of code from Trusted Solaris to SELinux. Although the examples in the paper are simple, they illustrate basic principles that will be used in porting code and performing policy work in moving applications from Trusted Solaris to SELinux. The areas covered are not exhaustive but do discuss how the main security features of sensitivity labels, process privileges, roles, and authorizations in Trusted Solaris map to SELinux. Additionally, areas where functionality does not currently exist in SELinux will be noted. Finally, conclusions will be offered and direction for further work.

Using the Flask Security Architecture to Facilitate Risk Adaptable Access Controls

Machon Gregory and Peter Loscocco, National Security Agency

Risk Adaptable Access Control is an important emerging technology tha t has gained the attention of many people as a way to change the current information dissemination policies. Systems implementing Risk Adaptable Access Controls have the ability to enforce a flexible mandatory access control policy based on various changing factors, such as situational and environmental factors. Unfortunately, commonly deployed systems are unable to the reliably support this type of access control, but by using existing technology the desired capable could be built. Applications of the Flask Security Architecture is such use of existing technology. This paper describes Risk Adaptable Access Controls and how the Flask Security Architecture can be used to provide the desired functionality. It describes how this was done in the creation of a prototype RAdAC system.

Security-Enhanced Darwin: Porting SELinux to Mac OS X

Christopher Vance, Todd Miller, and Rob Dekelbaum, SPARTA, Inc.

Security-Enhanced Darwin (SEDarwin) is a port of access control elements derived from NSA\'s Security Enhanced Linux (SELinux) to Darwin, the Open Source core of Apple\'s Mac OS X operating system. Apple\'s Mac OS X operating system combines both Open Source and proprietary technologies into a widely-used, production-quality UNIX-based workstation. Because Darwin is available under an Open Source license, it is possible to add mandatory access controls while still maintaining compatibility with the large base of user space applications, proprietary graphical components, and programming frameworks. While it was straightforward to port many of the SELinux components, Darwin\'s unique architecture meant significant new engineering was necessary in order to provide SELinux-style access controls consistently across the entire system. This paper will describe the component technologies in Darwin, the areas of significant new development, and provide comparisons to SELinux.

Madison: A New Approach to Automated Policy Generation

Karl MacMillan, Red Hat

This paper introduces a new library and associated tools, called Madison, for automatic policy generation. Madison includes features that address all aspects of fully automated and user guided policy generation, but has a particular focus on the generation of policy statements similar in form to hand-written reference policy modules. This focus allows Madison to compliment the existing tools that perform automatic policy generation. The policy modules generated by Madison use reference policy interface calls and allow rules in accordance with the encapsulation rules of the reference policy. Producing these interface calls requires infrastructure to parse reference policy headers, analysis routines to determine the access allowed by each interface, and a novel approach to optimizing the set of interface calls for a module that is computationally tractable.

Enforcing flexible access control in a networked policy domain

Joshua Brindle, Karen Vance, and Chad Sellers, Tresys Technology

Significant progress toward general acceptance of applying mandatory access control to systems has been made recently. Security Enhanced Linux (SELinux), in particular, has been enabled by default in some Linux distributions for several years. However, current SELinux deployments only effectively control a single system. Inter-system and remote resource access control capabilities are starting to appear in SELinux, but extending policy management capabilities to cover these networked systems remains an open problem. This paper discusses issues that must be addressed to support security policies distributed across a network, including policy development changes needed to be able to express a coherent security policy for a network of systems, managing the distribution of a multi-system policy, and synchronizing policy updates, and presents a distributed policy management architecture.

Securing Inter-process Communications in SELinux

Spencer Shimko and Joshua Brindle, Tresys Technology

In the modern computing world, a secure system is best implemented with mandatory access control (MAC) mecha-nisms. One aspect of secure system design is the careful definition of information flows between processes - inter-process communications (IPC). System designers, when weighing the security risks and functionality of different types of IPC, have had to rely on intuition and experience because of the lack of documentation regarding the secu-rity properties of the IPC mechanisms. This paper explores the security functionality that the underlying operating system must support to facilitate secure communication between processes in a Linux operating system. Security Enhanced Linux (SELinux) provides the MAC mechanisms used to support and ensure secure communication be-tween processes, as is illustrated through the example secure IPC mechanism presented in this paper. This example is achieved through a combination of SELinux policy and traditional Linux IPC mechanisms, and presents the best combination of security and throughput available in SELinux.

Towards Intuitive Tools for Managing SELinux: Hiding the Details but Retaining the Power

James Athey, Christopher Ashworth, Frank Mayer, and Don Miner, Tresys Technology

The details of the SELinux access control mechanisms lead to the perception that SELinux is too complex for non-expert users to manage. We present techniques that bridge the gap between the comprehensive, low-level SELinux access controls and the intuitive, high-level abstractions familiar to system administrators. These techniques shield the user from SELinux implementation details without sacrificing the power and flexibility of the SELinux policy language.

Extending Linux for Multi-Level Security

Klaus Weidner, atsec, George Wilson, IBM, and Loulwa Salem, IBM

Linux distributions have received numerous Common Criteria certifications in the last few years. Building on the recent Controlled Access Protection Profile (CAPP) certifications, an open source development effort to make Linux compliant with the Labeled Security Protection Profile (LSPP) and Role-Based Access Control Protection Profile (RBACPP) has been ongoing for almost 2 years. Development included adding and augmenting features of SELinux and other Linux components. This paper explores the evolution of and rationale behind the features developed to meet LSPP and RBACPP, and discusses the current state of development and lessons learned.