selinux project overview - linux foundation japan symposium 2008
DESCRIPTION
"SELinux Project Overview" - presenation given at the Linux Foundation Japan Symposium 2008. Video of the talk is available here: http://video.linuxfoundation.org/video/1031TRANSCRIPT
![Page 1: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/1.jpg)
SELinux Project Overview
8th Linux Foundation Japan SymposiumJuly 2008, Tokyo
James [email protected]
![Page 2: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/2.jpg)
Outline
● SELinux Introduction
● Rationale and Design
● Project Milestones
● Current Work and Challenges
![Page 3: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/3.jpg)
What is SELinux?
Security Framework
● Pluggable security models● Clean separation of policy and mechanism● Coherent stacking (composition)● Fully analyzable
![Page 4: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/4.jpg)
What is SELinux ?
Security Model
● Mandatory Access Control (MAC)● Type Enforcement + RBAC + MLS
– Least privilege
– Enforces confidentiality and integrity
– Strong isolation of applications
– Information flow control
– Limits exploitation of vulnerabilities
![Page 5: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/5.jpg)
What is SELinux ?
Community Project
● Originated in 1980s security research● Academic research prototype (Flask) 1990s● Ported to Linux, released under GPL in 2000● Distro adoption, upstream merge, certification● Adoption and innovation by users
![Page 6: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/6.jpg)
Why SELinux ?
● Existing MLS solutions:– Inflexible
– Don’t meet general requirements
– Hindered adoption
– Niche products: expensive and weird
![Page 7: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/7.jpg)
Why SELinux ?
● Better security for general computing:– DAC is not enough
– Need to protect against software flaws
– Flexibility
– Meet general requirements
– Ubiquitous
![Page 8: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/8.jpg)
SELinux Design
● Retrofit into existing OS
● System-wide policy
● Labeling of all security relevant objects
● Policy applied in the kernel (AVC)
![Page 9: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/9.jpg)
Milestones
● 2000 – 2003– GPL code release
– Kernel summit presentation
– LSM project
– Port SELinux to LSM
– Kernel 2.6 released Dec 03 with SELinux
– Early community efforts, including Debian Integration
![Page 10: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/10.jpg)
Milestones
● 2004 – 2005– Fedora integration
– Targeted policy
– RHEL integration (commercially supported)
– Foundation for viable production model
– SELinux Symposium, growth of community
![Page 11: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/11.jpg)
Milestones
● 2005 – present– Loadable policy modules
– Reference policy
– Booleans
– Libraries
– Tools
– Setroubleshoot
– SLIDE
![Page 12: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/12.jpg)
Modern SELinux
![Page 13: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/13.jpg)
Modern SELinux
![Page 14: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/14.jpg)
Modern SELinux
![Page 15: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/15.jpg)
SELinux Adoption
● Widely adopted in Fedora– Smolt statistics show majority have SELinux
enabled.
● RHEL adoption by military, govt, finance:– Factor in NYSE/Euronext adoption, handling over
$140 Billion/day in trades.
– US Coast Guard Intelligence case study.
● Embedded / consumer electronics:– MicroSELinux
– Many improvements from Japanese developers
![Page 16: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/16.jpg)
Threat Mitigation
“A security framework originally published by the US National Security Agency has begun to rack up an impressive list of protections against security holes.”
– LinuxWorld, Feb 2008
● SELinux has mitigated several serious security threats to everyday users of Fedora & RHEL.
● Tracked @ Tresys Mitigation News
![Page 17: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/17.jpg)
Current Work
● Wider distribution support:– Ubuntu, Debian, Gentoo
● Beyond kernel:– Virtualization (XSM)
– Desktop (XACE)
– Storage (LNFS)
– Applications (Database etc.)
● Beyond Linux:– OpenSolaris FMAC
![Page 18: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/18.jpg)
Cool Stuff
● Flexible design leads to innovative ideas● Xguest
– “Kiosk Mode”
– Anonymous desktop session
– Protect system from user
– Utilizes “military” technologies for general use
– Conferences, training, demos, library, child-proof...
● Russell Coker’s Play Machine
![Page 19: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/19.jpg)
Challenges
● Improved usability, as always!
● Documentation
● Keep community growing
![Page 20: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/20.jpg)
How to Participate
● Install SELinux enabled distribution● Join mailing lists● IRC● Ask questions● Answer questions!
See Resources page for links.
![Page 21: SELinux Project Overview - Linux Foundation Japan Symposium 2008](https://reader034.vdocuments.us/reader034/viewer/2022052307/55842c59d8b42a785e8b4e53/html5/thumbnails/21.jpg)
Resources
● Official Home Page– http://nsa.gov/selinux/
● Inevitibility of Failure Paper– http://www.nsa.gov/selinux/papers/inevitability/
● Tresys Mitigation News– http://www.tresys.com/innovation.php
● Community Project Server– http://selinuxproject.org/