2001 FREENIX Track Technical Program - Abstract
Integrating Flexible Support for Security Policies into the Linux Operating System
Peter Loscocco, NSA, and
Stephen Smalley, NAI Labs
The protection mechanisms of current mainstream operating systems are
inadequate to support confidentiality and integrity requirements for
end systems. Mandatory access control (MAC) is needed to address such
requirements, but the limitations of traditional MAC have inhibited
its adoption into mainstream operating systems. The National Security
Agency (NSA) worked with Secure Computing Corporation (SCC) to develop
a flexible MAC architecture called Flask to overcome the limitations
of traditional MAC. The NSA has implemented this architecture in the
Linux operating system, producing a Security-Enhanced Linux (SELinux)
prototype, to make the technology available to a wider community and
to enable further research into secure operating systems. NAI Labs
has developed an example security policy configuration to demonstrate
the benefits of the architecture and to provide a foundation for
others to use. This paper describes the security architecture,
security mechanisms, application programming interface, security
policy configuration, and performance of SELinux.
- View the full text of this paper in
HTML form, and
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.