Libselinux, a component of the security-enhanced Linux package developed by the National Security Agency, provides an interface for security policies and access control.
The primary goal of libselinux is to enforce the separation of information based on confidentiality and integrity requirements to provide system security. Unfortunately, many mainstream operating systems lack critical security features required for enforcing separation, including mandatory access control. This makes application security mechanisms vulnerable to tampering and bypass, resulting in failures in system security.
To address this issue, the NSA has incorporated research projects into a security-enhanced Linux system. This version of Linux has a strong, flexible mandatory access control architecture incorporated into the major subsystems of the kernel. The system provides a mechanism to enforce separation of information based on confidentiality and integrity requirements, thereby addressing threats of tampering and bypassing of application security mechanisms.
Linux was chosen as the platform for this work because its growing success and open development environment provided an opportunity to demonstrate that this functionality can be successful in a mainstream operating system. Additionally, the integration of these security research results into Linux may encourage additional operating system security research that may lead to additional improvement in system security.
It is important to note that security-enhanced Linux is not a complete security solution for Linux and does not aim to correct existing flaws in the system. Rather, it is an example of how mandatory access controls that can confine the actions of any process can be added to Linux. The focus of this work is on flexible support for a wide range of security policies, enabling the system to be configured to meet different security requirements.
Although there is still much work needed to develop a complete security solution, libselinux provides a good starting point to bring valuable security features to Linux. The release includes documentation and source code for both the system and some system utilities that were modified to make use of the new features. Participation with comments, constructive criticism, and improvements are welcome.
Version 1.34.15: N/A