SlideShare ist ein Scribd-Unternehmen logo

Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS 2008

J
James Morris

"Have You Driven an SELinux Lately? - An Update on the SELinux Project" This was given at OLS (Ottawa Linux Symposium) in 2008. The paper from the talk may be found at http://namei.org/ols-2008-selinux-paper.pdf.

Technologie
1 von 18
Downloaden Sie, um offline zu lesen
Have You Driven an SELinux Lately? An update on the Security Enhanced Linux Project James Morris Red Hat Asia Pacific Pte Ltd Ottawa Linux Symposium 2008
Project Timeline ● 1980s – 1990s – Academic R&D ● 2000 – 2003 – GPL release, upstream merge ● 2003 – 2005 – Distribution integration ● 2005 – present – Infrastructure and usability improvements
Infrastructure Work ● Loadable Policy Modules ● Reference Policy ● Policy Booleans ● Libraries ● Toolchain
User Experience ● Targeted Policy – Initially confined only critical applications – Now re-merged with hundreds of modules ● Targeted behavior selected via the unconfined module ● Setroubleshoot – Inspired by GNOME bug buddy
setroubleshoot
System Administration ● audit2why ● semanage ● restorecond ● system-config-selinux
system-config-selinux
Policy Development ● Command line tools for quick fixes ● SLIDE ● SEEdit
SLIDE
Core Enhancements ● Performance and scalability improvements ● Integrated with kernel memory protection ● Netfilter-based network controls ● Labeled Networking ● Better MLS
Security Evaluation ● RHEL5 Common Criteria certifications – LSPP, RBACPP, CAPP at EAL4+ – IBM, HP and SGI hardware – Community effort – Led to improved audit and other features ● Other Accreditation – US Coast Guard Intelligence case study
Threat Mitigation “A security framework originally published by the US National Security Agency has begun to rack up an impressive list of protections against security holes.” – LinuxWorld, Feb 2008 ● SELinux has mitigated several serious security threats to everyday users of Fedora & RHEL. ● Tracked @ Tresys Mitigation News
SELinux Adoption ● Widely adopted in Fedora – Smolt statistics show majority have SELinux enabled. ● RHEL adoption by military, govt, finance: – Factor in NYSE/Euronext adoption, handling over $140 Billion/day in trades. ● Embedded / consumer electronics: – Reduce risks and costs of vulnerabilities – Simpler systems can have tighter policy
Kiosk Mode (xguest) ● Anonymous desktop sessions ● Innovative application of several security technologies ● Useful for conferences, training, trade shows, libraries, child-proofing...
Current Work ● Wider distribution support: – Ubuntu, Debian, Gentoo ● Beyond kernel: – Virtualization (XSM) – Desktop (XACE) – Storage (LNFS) – Applications (Database etc.) ● Beyond Linux: – OpenSolaris FMAC
Challenges ● Improved usability, as always! ● Documentation ● Keep community growing
How to Participate ● Install SELinux enabled distribution ● Join mailing lists ● IRC ● Ask questions, report bugs!
by marco_ely @flickr

Empfohlen

Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux NetworkingJames Morris
 
Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSJames Morris
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoMandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoJames Morris
 

Empfohlen

Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux NetworkingJames Morris
 
Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSJames Morris
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoMandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoJames Morris
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Linux security
Linux securityLinux security
Linux securitytrilokchandra prakash
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
 
Futex Scaling for Multi-core Systems
Futex Scaling for Multi-core SystemsFutex Scaling for Multi-core Systems
Futex Scaling for Multi-core SystemsDavidlohr Bueso
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to ToolingMichael Boelen
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
SELinux basics
SELinux basicsSELinux basics
SELinux basicsLubomir Rintel
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with LynisMichael Boelen
 
SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008James Morris
 
The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007James Morris
 

Weitere ähnliche Inhalte

Was ist angesagt?

Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
 
Futex Scaling for Multi-core Systems
Futex Scaling for Multi-core SystemsFutex Scaling for Multi-core Systems
Futex Scaling for Multi-core SystemsDavidlohr Bueso
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to ToolingMichael Boelen
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with LynisMichael Boelen
 

Was ist angesagt? (20)

Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Linux security
Linux securityLinux security
Linux security
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
 
Futex Scaling for Multi-core Systems
Futex Scaling for Multi-core SystemsFutex Scaling for Multi-core Systems
Futex Scaling for Multi-core Systems
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with Lynis
 

Ähnlich wie Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS 2008

SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008James Morris
 
The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007James Morris
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfZephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfAswathRangaraj1
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXNoel McKeown
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
2008-01-22 Red Hat (Security) Roadmap Presentation
2008-01-22 Red Hat (Security) Roadmap Presentation2008-01-22 Red Hat (Security) Roadmap Presentation
2008-01-22 Red Hat (Security) Roadmap PresentationShawn Wells
 
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...NETWAYS
 
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...NETWAYS
 
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and FutureGWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and FutureGWAVA
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
OSMC 2010 | Insides SUSE Linux by Joachim Werner
OSMC 2010 | Insides SUSE Linux by Joachim WernerOSMC 2010 | Insides SUSE Linux by Joachim Werner
OSMC 2010 | Insides SUSE Linux by Joachim WernerNETWAYS
 
Engage 2019 - SUSE Linux and Container update
Engage 2019 - SUSE Linux and Container updateEngage 2019 - SUSE Linux and Container update
Engage 2019 - SUSE Linux and Container updateChristian Holsing
 
A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015Henry Huang
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005James Morris
 
Learn OpenStack from trystack.cn
Learn OpenStack from trystack.cnLearn OpenStack from trystack.cn
Learn OpenStack from trystack.cnOpenCity Community
 
Linux Environment- Linux Basics
Linux Environment- Linux BasicsLinux Environment- Linux Basics
Linux Environment- Linux BasicsTrinity Dwarka
 

Ähnlich wie Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS 2008 (20)

SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008
 
The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfZephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIX
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
 
Selinux
SelinuxSelinux
Selinux
 
2008-01-22 Red Hat (Security) Roadmap Presentation
2008-01-22 Red Hat (Security) Roadmap Presentation2008-01-22 Red Hat (Security) Roadmap Presentation
2008-01-22 Red Hat (Security) Roadmap Presentation
 
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...
 
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...
 
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoTZephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
 
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and FutureGWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
OSMC 2010 | Insides SUSE Linux by Joachim Werner
OSMC 2010 | Insides SUSE Linux by Joachim WernerOSMC 2010 | Insides SUSE Linux by Joachim Werner
OSMC 2010 | Insides SUSE Linux by Joachim Werner
 
Engage 2019 - SUSE Linux and Container update
Engage 2019 - SUSE Linux and Container updateEngage 2019 - SUSE Linux and Container update
Engage 2019 - SUSE Linux and Container update
 
A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
 
Learn OpenStack from trystack.cn
Learn OpenStack from trystack.cnLearn OpenStack from trystack.cn
Learn OpenStack from trystack.cn
 
Linux Environment- Linux Basics
Linux Environment- Linux BasicsLinux Environment- Linux Basics
Linux Environment- Linux Basics
 
2011 NASA Open Source Summit - Brian Stevens
2011 NASA Open Source Summit - Brian Stevens2011 NASA Open Source Summit - Brian Stevens
2011 NASA Open Source Summit - Brian Stevens
 
linux.pptx
linux.pptxlinux.pptx
linux.pptx
 

Mehr von James Morris

sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlJames Morris
 
OLPC Networking Overview
OLPC Networking OverviewOLPC Networking Overview
OLPC Networking OverviewJames Morris
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004James Morris
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004James Morris
 
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoBetter IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoJames Morris
 
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007James Morris
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)James Morris
 

Mehr von James Morris (8)

sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access Control
 
OLPC Networking Overview
OLPC Networking OverviewOLPC Networking Overview
OLPC Networking Overview
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004
 
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoBetter IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
 
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
 

Kürzlich hochgeladen

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS 2008

  • 1. Have You Driven an SELinux Lately? An update on the Security Enhanced Linux Project James Morris Red Hat Asia Pacific Pte Ltd Ottawa Linux Symposium 2008
  • 2. Project Timeline ● 1980s – 1990s – Academic R&D ● 2000 – 2003 – GPL release, upstream merge ● 2003 – 2005 – Distribution integration ● 2005 – present – Infrastructure and usability improvements
  • 3. Infrastructure Work ● Loadable Policy Modules ● Reference Policy ● Policy Booleans ● Libraries ● Toolchain
  • 4. User Experience ● Targeted Policy – Initially confined only critical applications – Now re-merged with hundreds of modules ● Targeted behavior selected via the unconfined module ● Setroubleshoot – Inspired by GNOME bug buddy
  • 6. System Administration ● audit2why ● semanage ● restorecond ● system-config-selinux
  • 8. Policy Development ● Command line tools for quick fixes ● SLIDE ● SEEdit
  • 10. Core Enhancements ● Performance and scalability improvements ● Integrated with kernel memory protection ● Netfilter-based network controls ● Labeled Networking ● Better MLS
  • 11. Security Evaluation ● RHEL5 Common Criteria certifications – LSPP, RBACPP, CAPP at EAL4+ – IBM, HP and SGI hardware – Community effort – Led to improved audit and other features ● Other Accreditation – US Coast Guard Intelligence case study
  • 12. Threat Mitigation “A security framework originally published by the US National Security Agency has begun to rack up an impressive list of protections against security holes.” – LinuxWorld, Feb 2008 ● SELinux has mitigated several serious security threats to everyday users of Fedora & RHEL. ● Tracked @ Tresys Mitigation News
  • 13. SELinux Adoption ● Widely adopted in Fedora – Smolt statistics show majority have SELinux enabled. ● RHEL adoption by military, govt, finance: – Factor in NYSE/Euronext adoption, handling over $140 Billion/day in trades. ● Embedded / consumer electronics: – Reduce risks and costs of vulnerabilities – Simpler systems can have tighter policy
  • 14. Kiosk Mode (xguest) ● Anonymous desktop sessions ● Innovative application of several security technologies ● Useful for conferences, training, trade shows, libraries, child-proofing...
  • 15. Current Work ● Wider distribution support: – Ubuntu, Debian, Gentoo ● Beyond kernel: – Virtualization (XSM) – Desktop (XACE) – Storage (LNFS) – Applications (Database etc.) ● Beyond Linux: – OpenSolaris FMAC
  • 16. Challenges ● Improved usability, as always! ● Documentation ● Keep community growing
  • 17. How to Participate ● Install SELinux enabled distribution ● Join mailing lists ● IRC ● Ask questions, report bugs!