SlideShare a Scribd company logo

The State of Security Enhanced Linux - FOSS.IN/2007

J
James Morris

The State of Security Enhanced Linux - FOSS.IN/2007 Presentation given in Bangalore, India.

TechnologyNews & Politics
1 of 32
Download to read offline
The State of Security Enhanced Linux James Morris jmorris@namei.org FOSS.IN/2007 – Bengaluru, India
Outline ● Brief SELinux overview ● Project update ● Challenges ● Ongoing and Future work
What is SELinux? Security Framework ● Pluggable security models ● Clean separation of policy ● Coherent stacking (composition) ● Fully analyzable
What is SELinux? Security Mechanism ● Type Enforcement + RBAC + MLS ● Mandatory Access Control (MAC) ● Least privilege ● Enforces confidentiality and integrity ● Limits exploitation of vulnerabilities
What is SELinux? Community Project ● Originated in security research community c. 1980s ● Prototyped as academic research 1990s (Flask) ● Ported to Linux and released as GPL in 2000 ● Adopted by distributions, merged upstream and certified
Current Status ● Primarily adopted in Fedora and RHEL ● Supported by Debian, Ubuntu, Gentoo, others ● Market adoption: military, government embedded, finance. ● Unprecedented: MAC security available freely in an off the shelf OS. With source code!
Project Update Since last here (2005, Fedora Core 4 era) Reference Policy ● Interfaces & encapsulation ● Designed ● Policy management infrastructure & tools ● Flexibility ● Documentation ● Full MLS support
Project Update Loadable Policy Modules ● Dynamic loading and unload of policy ● Easier customization ● Third party policy ● Manage & ship policy with applications
Project Update Policy Tools SELinux Policy IDE (SLIDE) ● GUI policy development ● Eclipse-based ● Remote policy deployment & monitoring
Project Update SLIDE
Project Update Toolkit libsemanage ● Standard library for managing policy ● Used by higher level tools, from command line to GUI ● Extensible, e.g. Remote policy management
Project Update Toolkit semanage ● Simplifies several tasks which previously required editing different config files and recompiling policy. ● Examples: mapping users to roles, labeling network ports.
Project Update Toolkit restorecond ● Automatic relabeling of files which tend to get mislabeled, via inotify ● Reduces administrative overhead
Project Update Toolkit policycoreuitls-gui ● Python toolkit for GUI configuration of SELinux ● Integrated into system-config-selinux
system-config-selinux
Project Update Toolkit audit2why ● Tries to explain entries in the audit log ● Offers helpful suggestions
Project Update Toolkit setroubleshoot ● Diagnostic alerts ● Gnome applet ● GUI browser ● Extensible plugin architecture ● Email alerts
Project Update
Project Update Toolkit Policy Wizard GUI ● Simple guided policy generation tool ● Uses common application traits to create a loadable policy module for an application
Project Update Protection ● Memory access checks ● Targeted policy now covers ~240 confined domains.
Project Update Certification RHEL5 Common Criteria certified to EAL4+ against the protection profiles: ● LSPP – Labeled Security (“MAC”) ● CAPP – Controlled Access (“audit”) ● RBACPP – Role Based Access Control Performed on IBM and HP hardware.
Project Update Certification ● Significantly enhanced audit capabilities ● pam_namespace utilizes kernel namespaces to provide private views of the fileystem ● Improved labeled networking, including IPsec- based and legacy CIPSO labels for talking to existing Trusted OSs
Project Update Secmark ● Uses iptables to categorize & label packets ● Leverages iptables tools, modules, connection tracking, connection assurance etc. ● More secure and also vastly simplifies policy
Project Update X Access Control Extension (XACE) ● Security framework extension for X server ● Merged into X.org ● Important step in securing the desktop
Project Update Continued extension beyond Linux kernel ● Gconf – desktop environments ● SE-PostgreSQL – databases ● XSM – virtualization ● SEDarwin – other operating systems
Project Update Testing Linux Test Project (LTP) support for Reference Policy IBM and HP released certification testsuites to LTP
Project Update General SELinux By Example published, very comprehensive book xguest: constrained guest user for kiosk use Many contributions from Japanese community: ● Performance and memory use improvements ● Busybox integration ● Segatex (QT-based management suite) ● SEedit (simplified policy editor)
Challenges Usability ● Security and usability are inherently at odds ● No magic bullet ● Progress being made; need to continue building higher level tools and abstractions
Ongoing Work ● Better support for developers and administrators ● High level tools for end users ● Continued work on desktop support ● Full NFS support ● Higher level policy language ● Architectural refinements
How to Help Join the mailing list ● http://www.nsa.gov/selinux/info/subscribe.cfm Submit bug reports ● Documentation ● Developer and admin tools ● Usability for end users ● Your distribution probably has an SELinux team ●
Resources Main page http://www.nsa.gov/selinux/ News & planet http://selinuxnews.org/ Conference papers http://selinux-symposium.org/ Tresys open source projects http://oss.tresys.com/

Recommended

LWdatasheet
LWdatasheetLWdatasheet
LWdatasheetJolene Watkins
 
SDN NFV NV OpenNetwork @ VMUG.IT 20150529
SDN NFV NV OpenNetwork @ VMUG.IT 20150529SDN NFV NV OpenNetwork @ VMUG.IT 20150529
SDN NFV NV OpenNetwork @ VMUG.IT 20150529VMUG IT
 
Practical Steps to Scale Legal Support for Open Source
Practical Steps to Scale Legal Support for Open SourcePractical Steps to Scale Legal Support for Open Source
Practical Steps to Scale Legal Support for Open SourceBlack Duck by Synopsys
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platformOpenDaylight
 
Nagios Conference 2013 - Shamas Demoret - Power Up! The Multifaceted Benefits...
Nagios Conference 2013 - Shamas Demoret - Power Up! The Multifaceted Benefits...Nagios Conference 2013 - Shamas Demoret - Power Up! The Multifaceted Benefits...
Nagios Conference 2013 - Shamas Demoret - Power Up! The Multifaceted Benefits...Nagios
 
Security in the DevOps pipeline of containerized core application: Case Study...
Security in the DevOps pipeline of containerized core application: Case Study...Security in the DevOps pipeline of containerized core application: Case Study...
Security in the DevOps pipeline of containerized core application: Case Study...Aarno Aukia
 
The printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookThe printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookAarno Aukia
 
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19Lisa Laxton
 

Recommended

LWdatasheet
LWdatasheetLWdatasheet
LWdatasheetJolene Watkins
 
SDN NFV NV OpenNetwork @ VMUG.IT 20150529
SDN NFV NV OpenNetwork @ VMUG.IT 20150529SDN NFV NV OpenNetwork @ VMUG.IT 20150529
SDN NFV NV OpenNetwork @ VMUG.IT 20150529VMUG IT
 
Practical Steps to Scale Legal Support for Open Source
Practical Steps to Scale Legal Support for Open SourcePractical Steps to Scale Legal Support for Open Source
Practical Steps to Scale Legal Support for Open SourceBlack Duck by Synopsys
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platformOpenDaylight
 
Nagios Conference 2013 - Shamas Demoret - Power Up! The Multifaceted Benefits...
Nagios Conference 2013 - Shamas Demoret - Power Up! The Multifaceted Benefits...Nagios Conference 2013 - Shamas Demoret - Power Up! The Multifaceted Benefits...
Nagios Conference 2013 - Shamas Demoret - Power Up! The Multifaceted Benefits...Nagios
 
Security in the DevOps pipeline of containerized core application: Case Study...
Security in the DevOps pipeline of containerized core application: Case Study...Security in the DevOps pipeline of containerized core application: Case Study...
Security in the DevOps pipeline of containerized core application: Case Study...Aarno Aukia
 
The printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookThe printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookAarno Aukia
 
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19Lisa Laxton
 
Introduction to Data Models & Cisco's NextGen Device Level APIs: an overview
Introduction to Data Models & Cisco's NextGen Device Level APIs: an overviewIntroduction to Data Models & Cisco's NextGen Device Level APIs: an overview
Introduction to Data Models & Cisco's NextGen Device Level APIs: an overviewCisco DevNet
 
Unicon Nov 2014 IAM Briefing
Unicon Nov 2014 IAM BriefingUnicon Nov 2014 IAM Briefing
Unicon Nov 2014 IAM BriefingJohn Gasper
 
Making Git Work for the Enterprise Through the Power of Perforce Helix
Making Git Work for the Enterprise Through the Power of Perforce HelixMaking Git Work for the Enterprise Through the Power of Perforce Helix
Making Git Work for the Enterprise Through the Power of Perforce HelixPerforce
 
Source-it Version-contol & GIT - floating-lesson
Source-it Version-contol & GIT - floating-lessonSource-it Version-contol & GIT - floating-lesson
Source-it Version-contol & GIT - floating-lessonYoram Michaeli
 
DEVNET-1112 The DevNet Hackathon Awards
DEVNET-1112 The DevNet Hackathon AwardsDEVNET-1112 The DevNet Hackathon Awards
DEVNET-1112 The DevNet Hackathon AwardsCisco DevNet
 
DEVNET-1117 Open Source DevCenter Launched within DevNet
DEVNET-1117 Open Source DevCenter Launched within DevNetDEVNET-1117 Open Source DevCenter Launched within DevNet
DEVNET-1117 Open Source DevCenter Launched within DevNetCisco DevNet
 
DevDay 2018: Martin Schurz - Aufbau einer Monitoringlösung für moderne Applik...
DevDay 2018: Martin Schurz - Aufbau einer Monitoringlösung für moderne Applik...DevDay 2018: Martin Schurz - Aufbau einer Monitoringlösung für moderne Applik...
DevDay 2018: Martin Schurz - Aufbau einer Monitoringlösung für moderne Applik...DevDay Dresden
 
Modern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinDjalal Harouni
 
7 Source Control and Release Management
7 Source Control and Release Management7 Source Control and Release Management
7 Source Control and Release Managementjavadch
 
Introducing Perforce Helix
Introducing Perforce HelixIntroducing Perforce Helix
Introducing Perforce HelixPerforce
 
Tizen IVI - Rusty Lynch (Intel) - Korea Linux Forum 2012
Tizen IVI - Rusty Lynch (Intel) - Korea Linux Forum 2012Tizen IVI - Rusty Lynch (Intel) - Korea Linux Forum 2012
Tizen IVI - Rusty Lynch (Intel) - Korea Linux Forum 2012Ryo Jin
 
Hello DevOps World
Hello DevOps WorldHello DevOps World
Hello DevOps WorldYoram Michaeli
 
curriculum-vitae-dag-wieers
curriculum-vitae-dag-wieerscurriculum-vitae-dag-wieers
curriculum-vitae-dag-wieersDag Wieers
 
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...Puppet
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)James Morris
 
SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008James Morris
 
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoBetter IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoJames Morris
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux NetworkingJames Morris
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoMandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoJames Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_engFFRI, Inc.
 

More Related Content

What's hot

Introduction to Data Models & Cisco's NextGen Device Level APIs: an overview
Introduction to Data Models & Cisco's NextGen Device Level APIs: an overviewIntroduction to Data Models & Cisco's NextGen Device Level APIs: an overview
Introduction to Data Models & Cisco's NextGen Device Level APIs: an overviewCisco DevNet
 
Unicon Nov 2014 IAM Briefing
Unicon Nov 2014 IAM BriefingUnicon Nov 2014 IAM Briefing
Unicon Nov 2014 IAM BriefingJohn Gasper
 
Making Git Work for the Enterprise Through the Power of Perforce Helix
Making Git Work for the Enterprise Through the Power of Perforce HelixMaking Git Work for the Enterprise Through the Power of Perforce Helix
Making Git Work for the Enterprise Through the Power of Perforce HelixPerforce
 
Source-it Version-contol & GIT - floating-lesson
Source-it Version-contol & GIT - floating-lessonSource-it Version-contol & GIT - floating-lesson
Source-it Version-contol & GIT - floating-lessonYoram Michaeli
 
DEVNET-1112 The DevNet Hackathon Awards
DEVNET-1112 The DevNet Hackathon AwardsDEVNET-1112 The DevNet Hackathon Awards
DEVNET-1112 The DevNet Hackathon AwardsCisco DevNet
 
DEVNET-1117 Open Source DevCenter Launched within DevNet
DEVNET-1117 Open Source DevCenter Launched within DevNetDEVNET-1117 Open Source DevCenter Launched within DevNet
DEVNET-1117 Open Source DevCenter Launched within DevNetCisco DevNet
 
DevDay 2018: Martin Schurz - Aufbau einer Monitoringlösung für moderne Applik...
DevDay 2018: Martin Schurz - Aufbau einer Monitoringlösung für moderne Applik...DevDay 2018: Martin Schurz - Aufbau einer Monitoringlösung für moderne Applik...
DevDay 2018: Martin Schurz - Aufbau einer Monitoringlösung für moderne Applik...DevDay Dresden
 
Modern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinDjalal Harouni
 
7 Source Control and Release Management
7 Source Control and Release Management7 Source Control and Release Management
7 Source Control and Release Managementjavadch
 
Introducing Perforce Helix
Introducing Perforce HelixIntroducing Perforce Helix
Introducing Perforce HelixPerforce
 
Tizen IVI - Rusty Lynch (Intel) - Korea Linux Forum 2012
Tizen IVI - Rusty Lynch (Intel) - Korea Linux Forum 2012Tizen IVI - Rusty Lynch (Intel) - Korea Linux Forum 2012
Tizen IVI - Rusty Lynch (Intel) - Korea Linux Forum 2012Ryo Jin
 
curriculum-vitae-dag-wieers
curriculum-vitae-dag-wieerscurriculum-vitae-dag-wieers
curriculum-vitae-dag-wieersDag Wieers
 
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...Puppet
 

What's hot (14)

Introduction to Data Models & Cisco's NextGen Device Level APIs: an overview
Introduction to Data Models & Cisco's NextGen Device Level APIs: an overviewIntroduction to Data Models & Cisco's NextGen Device Level APIs: an overview
Introduction to Data Models & Cisco's NextGen Device Level APIs: an overview
 
Unicon Nov 2014 IAM Briefing
Unicon Nov 2014 IAM BriefingUnicon Nov 2014 IAM Briefing
Unicon Nov 2014 IAM Briefing
 
Making Git Work for the Enterprise Through the Power of Perforce Helix
Making Git Work for the Enterprise Through the Power of Perforce HelixMaking Git Work for the Enterprise Through the Power of Perforce Helix
Making Git Work for the Enterprise Through the Power of Perforce Helix
 
Source-it Version-contol & GIT - floating-lesson
Source-it Version-contol & GIT - floating-lessonSource-it Version-contol & GIT - floating-lesson
Source-it Version-contol & GIT - floating-lesson
 
DEVNET-1112 The DevNet Hackathon Awards
DEVNET-1112 The DevNet Hackathon AwardsDEVNET-1112 The DevNet Hackathon Awards
DEVNET-1112 The DevNet Hackathon Awards
 
DEVNET-1117 Open Source DevCenter Launched within DevNet
DEVNET-1117 Open Source DevCenter Launched within DevNetDEVNET-1117 Open Source DevCenter Launched within DevNet
DEVNET-1117 Open Source DevCenter Launched within DevNet
 
DevDay 2018: Martin Schurz - Aufbau einer Monitoringlösung für moderne Applik...
DevDay 2018: Martin Schurz - Aufbau einer Monitoringlösung für moderne Applik...DevDay 2018: Martin Schurz - Aufbau einer Monitoringlösung für moderne Applik...
DevDay 2018: Martin Schurz - Aufbau einer Monitoringlösung für moderne Applik...
 
Modern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - Berlin
 
7 Source Control and Release Management
7 Source Control and Release Management7 Source Control and Release Management
7 Source Control and Release Management
 
Introducing Perforce Helix
Introducing Perforce HelixIntroducing Perforce Helix
Introducing Perforce Helix
 
Tizen IVI - Rusty Lynch (Intel) - Korea Linux Forum 2012
Tizen IVI - Rusty Lynch (Intel) - Korea Linux Forum 2012Tizen IVI - Rusty Lynch (Intel) - Korea Linux Forum 2012
Tizen IVI - Rusty Lynch (Intel) - Korea Linux Forum 2012
 
Hello DevOps World
Hello DevOps WorldHello DevOps World
Hello DevOps World
 
curriculum-vitae-dag-wieers
curriculum-vitae-dag-wieerscurriculum-vitae-dag-wieers
curriculum-vitae-dag-wieers
 
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
 

Viewers also liked

Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)James Morris
 
SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008James Morris
 
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoBetter IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoJames Morris
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux NetworkingJames Morris
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoMandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoJames Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_engFFRI, Inc.
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsPaulWay
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 

Viewers also liked (12)

Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
 
SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008
 
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoBetter IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux Networking
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoMandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_eng
 
System Integrity
System IntegritySystem Integrity
System Integrity
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For Sysadmins
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 

Similar to The State of Security Enhanced Linux - FOSS.IN/2007

Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...James Morris
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsWeaveworks
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Weaveworks
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdWeaveworks
 
Devops phase-1
Devops phase-1Devops phase-1
Devops phase-1G R VISHAL
 
Nuxeo World Keynote: Roadmap - What to Expect from Nuxeo in 2011
Nuxeo World Keynote: Roadmap - What to Expect from Nuxeo in 2011Nuxeo World Keynote: Roadmap - What to Expect from Nuxeo in 2011
Nuxeo World Keynote: Roadmap - What to Expect from Nuxeo in 2011Nuxeo
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weaveworks
 
Top 10 dev ops tools (1)
Top 10 dev ops tools (1)Top 10 dev ops tools (1)
Top 10 dev ops tools (1)yalini97
 
Cloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOpsCloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOpsWeaveworks
 
Introducing the Civil Infrastructure Platform
Introducing the Civil Infrastructure PlatformIntroducing the Civil Infrastructure Platform
Introducing the Civil Infrastructure PlatformYoshitake Kobayashi
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOpsAarno Aukia
 
Introducing the Civil Infrastructure Platform Project
Introducing the Civil Infrastructure Platform ProjectIntroducing the Civil Infrastructure Platform Project
Introducing the Civil Infrastructure Platform ProjectYoshitake Kobayashi
 
SLTS kernel and base-layer development in the Civil Infrastructure Platform
SLTS kernel and base-layer development in the Civil Infrastructure PlatformSLTS kernel and base-layer development in the Civil Infrastructure Platform
SLTS kernel and base-layer development in the Civil Infrastructure PlatformYoshitake Kobayashi
 
Free GitOps Workshop
Free GitOps WorkshopFree GitOps Workshop
Free GitOps WorkshopWeaveworks
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021William Caban
 
The FN Project by Maximilian Jerg
The FN Project by Maximilian JergThe FN Project by Maximilian Jerg
The FN Project by Maximilian JergHarald Schmaldienst
 
DevOps Workflows in the Windows Ecosystem - April 21
DevOps Workflows in the Windows Ecosystem - April 21 DevOps Workflows in the Windows Ecosystem - April 21
DevOps Workflows in the Windows Ecosystem - April 21Puppet
 

Similar to The State of Security Enhanced Linux - FOSS.IN/2007 (20)

Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Devops phase-1
Devops phase-1Devops phase-1
Devops phase-1
 
Nuxeo World Keynote: Roadmap - What to Expect from Nuxeo in 2011
Nuxeo World Keynote: Roadmap - What to Expect from Nuxeo in 2011Nuxeo World Keynote: Roadmap - What to Expect from Nuxeo in 2011
Nuxeo World Keynote: Roadmap - What to Expect from Nuxeo in 2011
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
 
Top 10 dev ops tools (1)
Top 10 dev ops tools (1)Top 10 dev ops tools (1)
Top 10 dev ops tools (1)
 
Cloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOpsCloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOps
 
Introducing the Civil Infrastructure Platform
Introducing the Civil Infrastructure PlatformIntroducing the Civil Infrastructure Platform
Introducing the Civil Infrastructure Platform
 
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoTZephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
 
Dean Hagen
Dean HagenDean Hagen
Dean Hagen
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
 
NVReddy
NVReddyNVReddy
NVReddy
 
Introducing the Civil Infrastructure Platform Project
Introducing the Civil Infrastructure Platform ProjectIntroducing the Civil Infrastructure Platform Project
Introducing the Civil Infrastructure Platform Project
 
SLTS kernel and base-layer development in the Civil Infrastructure Platform
SLTS kernel and base-layer development in the Civil Infrastructure PlatformSLTS kernel and base-layer development in the Civil Infrastructure Platform
SLTS kernel and base-layer development in the Civil Infrastructure Platform
 
Free GitOps Workshop
Free GitOps WorkshopFree GitOps Workshop
Free GitOps Workshop
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
 
The FN Project by Maximilian Jerg
The FN Project by Maximilian JergThe FN Project by Maximilian Jerg
The FN Project by Maximilian Jerg
 
DevOps Workflows in the Windows Ecosystem - April 21
DevOps Workflows in the Windows Ecosystem - April 21 DevOps Workflows in the Windows Ecosystem - April 21
DevOps Workflows in the Windows Ecosystem - April 21
 

More from James Morris

Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSJames Morris
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlJames Morris
 
OLPC Networking Overview
OLPC Networking OverviewOLPC Networking Overview
OLPC Networking OverviewJames Morris
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004James Morris
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004James Morris
 
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007James Morris
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005James Morris
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 

More from James Morris (8)

Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFS
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access Control
 
OLPC Networking Overview
OLPC Networking OverviewOLPC Networking Overview
OLPC Networking Overview
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004
 
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 

Recently uploaded

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

The State of Security Enhanced Linux - FOSS.IN/2007

  • 1. The State of Security Enhanced Linux James Morris jmorris@namei.org FOSS.IN/2007 – Bengaluru, India
  • 2. Outline ● Brief SELinux overview ● Project update ● Challenges ● Ongoing and Future work
  • 3. What is SELinux? Security Framework ● Pluggable security models ● Clean separation of policy ● Coherent stacking (composition) ● Fully analyzable
  • 4. What is SELinux? Security Mechanism ● Type Enforcement + RBAC + MLS ● Mandatory Access Control (MAC) ● Least privilege ● Enforces confidentiality and integrity ● Limits exploitation of vulnerabilities
  • 5. What is SELinux? Community Project ● Originated in security research community c. 1980s ● Prototyped as academic research 1990s (Flask) ● Ported to Linux and released as GPL in 2000 ● Adopted by distributions, merged upstream and certified
  • 6. Current Status ● Primarily adopted in Fedora and RHEL ● Supported by Debian, Ubuntu, Gentoo, others ● Market adoption: military, government embedded, finance. ● Unprecedented: MAC security available freely in an off the shelf OS. With source code!
  • 7. Project Update Since last here (2005, Fedora Core 4 era) Reference Policy ● Interfaces & encapsulation ● Designed ● Policy management infrastructure & tools ● Flexibility ● Documentation ● Full MLS support
  • 8. Project Update Loadable Policy Modules ● Dynamic loading and unload of policy ● Easier customization ● Third party policy ● Manage & ship policy with applications
  • 9. Project Update Policy Tools SELinux Policy IDE (SLIDE) ● GUI policy development ● Eclipse-based ● Remote policy deployment & monitoring
  • 11. Project Update Toolkit libsemanage ● Standard library for managing policy ● Used by higher level tools, from command line to GUI ● Extensible, e.g. Remote policy management
  • 12. Project Update Toolkit semanage ● Simplifies several tasks which previously required editing different config files and recompiling policy. ● Examples: mapping users to roles, labeling network ports.
  • 13. Project Update Toolkit restorecond ● Automatic relabeling of files which tend to get mislabeled, via inotify ● Reduces administrative overhead
  • 14. Project Update Toolkit policycoreuitls-gui ● Python toolkit for GUI configuration of SELinux ● Integrated into system-config-selinux
  • 16. Project Update Toolkit audit2why ● Tries to explain entries in the audit log ● Offers helpful suggestions
  • 17. Project Update Toolkit setroubleshoot ● Diagnostic alerts ● Gnome applet ● GUI browser ● Extensible plugin architecture ● Email alerts
  • 19. Project Update Toolkit Policy Wizard GUI ● Simple guided policy generation tool ● Uses common application traits to create a loadable policy module for an application
  • 20.
  • 21. Project Update Protection ● Memory access checks ● Targeted policy now covers ~240 confined domains.
  • 22. Project Update Certification RHEL5 Common Criteria certified to EAL4+ against the protection profiles: ● LSPP – Labeled Security (“MAC”) ● CAPP – Controlled Access (“audit”) ● RBACPP – Role Based Access Control Performed on IBM and HP hardware.
  • 23. Project Update Certification ● Significantly enhanced audit capabilities ● pam_namespace utilizes kernel namespaces to provide private views of the fileystem ● Improved labeled networking, including IPsec- based and legacy CIPSO labels for talking to existing Trusted OSs
  • 24. Project Update Secmark ● Uses iptables to categorize & label packets ● Leverages iptables tools, modules, connection tracking, connection assurance etc. ● More secure and also vastly simplifies policy
  • 25. Project Update X Access Control Extension (XACE) ● Security framework extension for X server ● Merged into X.org ● Important step in securing the desktop
  • 26. Project Update Continued extension beyond Linux kernel ● Gconf – desktop environments ● SE-PostgreSQL – databases ● XSM – virtualization ● SEDarwin – other operating systems
  • 27. Project Update Testing Linux Test Project (LTP) support for Reference Policy IBM and HP released certification testsuites to LTP
  • 28. Project Update General SELinux By Example published, very comprehensive book xguest: constrained guest user for kiosk use Many contributions from Japanese community: ● Performance and memory use improvements ● Busybox integration ● Segatex (QT-based management suite) ● SEedit (simplified policy editor)
  • 29. Challenges Usability ● Security and usability are inherently at odds ● No magic bullet ● Progress being made; need to continue building higher level tools and abstractions
  • 30. Ongoing Work ● Better support for developers and administrators ● High level tools for end users ● Continued work on desktop support ● Full NFS support ● Higher level policy language ● Architectural refinements
  • 31. How to Help Join the mailing list ● http://www.nsa.gov/selinux/info/subscribe.cfm Submit bug reports ● Documentation ● Developer and admin tools ● Usability for end users ● Your distribution probably has an SELinux team ●
  • 32. Resources Main page http://www.nsa.gov/selinux/ News & planet http://selinuxnews.org/ Conference papers http://selinux-symposium.org/ Tresys open source projects http://oss.tresys.com/