Have You Driven an SELinux Lately?
  An update on the Security Enhanced Linux Project



                  James Morris
  ...
Project Timeline
●   1980s – 1990s
    –   Academic R&D
●   2000 – 2003
    –   GPL release, upstream merge
●   2003 – 200...
Infrastructure Work

●   Loadable Policy Modules
●   Reference Policy
●   Policy Booleans
●   Libraries
●   Toolchain
User Experience
●   Targeted Policy
    –   Initially confined only critical applications
    –   Now re-merged with hundr...
setroubleshoot
System Administration
●   audit2why

●   semanage

●   restorecond

●   system-config-selinux
system-config-selinux
Policy Development

●   Command line tools for quick fixes

●   SLIDE

●   SEEdit
SLIDE
Core Enhancements

●   Performance and scalability improvements
●   Integrated with kernel memory protection
●   Netfilter...
Security Evaluation
●   RHEL5 Common Criteria certifications
    –   LSPP, RBACPP, CAPP at EAL4+
    –   IBM, HP and SGI h...
Threat Mitigation
“A security framework originally published by the US National
  Security Agency has begun to rack up an ...
SELinux Adoption
●   Widely adopted in Fedora
    –   Smolt statistics show majority have SELinux
        enabled.
●   RHE...
Kiosk Mode (xguest)
●   Anonymous desktop sessions

●   Innovative application of several security
    technologies

●   U...
Current Work
●   Wider distribution support:
    –   Ubuntu, Debian, Gentoo
●   Beyond kernel:
    –   Virtualization (XSM...
Challenges

●   Improved usability, as always!

●   Documentation

●   Keep community growing
How to Participate

●   Install SELinux enabled distribution
●   Join mailing lists
●   IRC
●   Ask questions, report bugs!
by marco_ely @flickr
Upcoming SlideShare
Loading in...5
×

Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS 2008

717
-1

Published on

"Have You Driven an SELinux Lately? - An Update on the SELinux Project"

This was given at OLS (Ottawa Linux Symposium) in 2008.

The paper from the talk may be found at
http://namei.org/ols-2008-selinux-paper.pdf.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
717
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS 2008

  1. 1. Have You Driven an SELinux Lately? An update on the Security Enhanced Linux Project James Morris Red Hat Asia Pacific Pte Ltd Ottawa Linux Symposium 2008
  2. 2. Project Timeline ● 1980s – 1990s – Academic R&D ● 2000 – 2003 – GPL release, upstream merge ● 2003 – 2005 – Distribution integration ● 2005 – present – Infrastructure and usability improvements
  3. 3. Infrastructure Work ● Loadable Policy Modules ● Reference Policy ● Policy Booleans ● Libraries ● Toolchain
  4. 4. User Experience ● Targeted Policy – Initially confined only critical applications – Now re-merged with hundreds of modules ● Targeted behavior selected via the unconfined module ● Setroubleshoot – Inspired by GNOME bug buddy
  5. 5. setroubleshoot
  6. 6. System Administration ● audit2why ● semanage ● restorecond ● system-config-selinux
  7. 7. system-config-selinux
  8. 8. Policy Development ● Command line tools for quick fixes ● SLIDE ● SEEdit
  9. 9. SLIDE
  10. 10. Core Enhancements ● Performance and scalability improvements ● Integrated with kernel memory protection ● Netfilter-based network controls ● Labeled Networking ● Better MLS
  11. 11. Security Evaluation ● RHEL5 Common Criteria certifications – LSPP, RBACPP, CAPP at EAL4+ – IBM, HP and SGI hardware – Community effort – Led to improved audit and other features ● Other Accreditation – US Coast Guard Intelligence case study
  12. 12. Threat Mitigation “A security framework originally published by the US National Security Agency has begun to rack up an impressive list of protections against security holes.” – LinuxWorld, Feb 2008 ● SELinux has mitigated several serious security threats to everyday users of Fedora & RHEL. ● Tracked @ Tresys Mitigation News
  13. 13. SELinux Adoption ● Widely adopted in Fedora – Smolt statistics show majority have SELinux enabled. ● RHEL adoption by military, govt, finance: – Factor in NYSE/Euronext adoption, handling over $140 Billion/day in trades. ● Embedded / consumer electronics: – Reduce risks and costs of vulnerabilities – Simpler systems can have tighter policy
  14. 14. Kiosk Mode (xguest) ● Anonymous desktop sessions ● Innovative application of several security technologies ● Useful for conferences, training, trade shows, libraries, child-proofing...
  15. 15. Current Work ● Wider distribution support: – Ubuntu, Debian, Gentoo ● Beyond kernel: – Virtualization (XSM) – Desktop (XACE) – Storage (LNFS) – Applications (Database etc.) ● Beyond Linux: – OpenSolaris FMAC
  16. 16. Challenges ● Improved usability, as always! ● Documentation ● Keep community growing
  17. 17. How to Participate ● Install SELinux enabled distribution ● Join mailing lists ● IRC ● Ask questions, report bugs!
  18. 18. by marco_ely @flickr
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×