SlideShare uma empresa Scribd logo

Overview of NSA Security Enhanced Linux - FOSS.IN/2005

J
James Morris

Overview of NSA Security Enhanced Linux - FOSS.IN/2005 Presentation given in Bangalore, India.

TecnologiaNotícias e política
1 de 16
Baixar para ler offline
Overview of NSA Security Enhanced Linux James Morris jmorris@namei.org FOSS.IN/2005 Bangalore, India
What is SELinux? ● Fine­grained Mandatory Access Control (MAC) ● Strongly separated domains ● Provides confinement of: ● malicious code ● flawed code ● user error/intention ● Enforces least privilege ● Protects integrity ● Flexible policy
Discretionary Access Control (DAC)  ● Traditional Unix security model ● DAC is inadequate: – Decisions only based on user identity and ownership – No protection against malicious or flawed software – Each user has complete discretion over own objects – Only two major categories of users: admin and other – Coarse­grained and too much privilege – Unbounded privilege escalation
Mandatory Access Control (MAC) ● “Missing link” of security in general OSs ● Primary features: – Administratively­set security policy – Control over all processes and objects – Decisions based on all security­relevant information
MAC Implementation ● Traditionally inflexible, maps poorly to general case ● More than just Multilevel Security (MLS): – Enforce integrity, least privilege ● Generalized MAC via Type Enforcement (TE) ● Transparent to applications ● Decompose administrator role ● Policy flexibility
SELinux Framework ● Composition of several security models – Role­Based Access Control (RBAC) – Type Enforcement (TE) – Optional Multilevel Security (MLS) ● Separation of mechanism and policy ● Can support further models as required
Type Enforcement (TE) ● Domains for processes, types for objects ● Control access to objects by domains ● Control interactions between domains ● Control entry into domains ● Bind domains to code
Types ● Attributes assigned to objects and domains ● Things of the same type are security­equivalent ● Examples: – httpd_t (apache execution domain) – httpd_log_t (apache log files) – httpd_config_t (apache configuration files) – httpd_sys_content_t (web content)
Type Enforcement Rules ● TE rules defined in policy ● Include object labeling, and access control rules ● Examples: • allow httpd_t httpd_log_t:file  { create ioctl read getattr lock append }; • allow httpd_t httpd_config_t:file { read getattr lock ioctl }; • allow httpd_t httpd_sys_content_t:file { read getattr lock ioctl };
Role Based Access Control (RBAC) ● Roles are attributes assigned to domains, e.g. – sysadm_r – system_r – user_r ● Specifies domains that can be entered by each role ● Specifies roles that are authorized for each user ● Initial domain associated with each user role
Current Status ● Merged into upstream kernel during 2.5 series ● Adopted by several distributions ● Targeted policy for network facing services ● Possibly millions of users ● Basic tools
Current Development ● MLS for production use ● Certifications: LSPP, RBACPP at EAL4+ ● Multi­category Security (MCS) ● Reference policy ● Modular policy
Future Developments & Participation ● Better tools – Policy development and analysis ● High level policy language ● Distributed security management – User management, policy distribution, logging ● Desktop ● Application­level
More Future Developments... ● Networked filesystems ● Hardware security (TPM): – Verified boot – Integrity verification – Remote attestation – Trusted path ● Virtualization ● Cryptographic policy
Resources ● NSA SELinux Pages http://www.nsa.gov/selinux/ ● SELinux for Distributions http://selinux.sourceforge.net/ ● Mailing Lists (see above) ● IRC: irc.freenode.net #selinux ● SELinux Symposium 2006 (Feb/Mar) http://www.selinux­symposium.org/
Acknowledgments ● Much of the source material for these slides was  derived from existing NSA presentations: – http://www.nsa.gov/selinux/info/docs.cfm

Recomendados

SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
 
Network Exploitation
Network ExploitationNetwork Exploitation
Network ExploitationUTD Computer Security Group
 
Intruders and Intrusion detection in Cryptosystems
Intruders and Intrusion detection in CryptosystemsIntruders and Intrusion detection in Cryptosystems
Intruders and Intrusion detection in CryptosystemsVelanSalis
 
User And Physical Security
User And Physical SecurityUser And Physical Security
User And Physical Securityguest648519
 
Computer networks and network security
Computer networks and network securityComputer networks and network security
Computer networks and network securityUTD Computer Security Group
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Kabul Education University
 
Network security
Network securityNetwork security
Network securityDonald West Rock
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to ExploitationUTD Computer Security Group
 

Recomendados

SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
 
Network Exploitation
Network ExploitationNetwork Exploitation
Network ExploitationUTD Computer Security Group
 
Intruders and Intrusion detection in Cryptosystems
Intruders and Intrusion detection in CryptosystemsIntruders and Intrusion detection in Cryptosystems
Intruders and Intrusion detection in CryptosystemsVelanSalis
 
User And Physical Security
User And Physical SecurityUser And Physical Security
User And Physical Securityguest648519
 
Computer networks and network security
Computer networks and network securityComputer networks and network security
Computer networks and network securityUTD Computer Security Group
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Kabul Education University
 
Network security
Network securityNetwork security
Network securityDonald West Rock
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to ExploitationUTD Computer Security Group
 
Encryption
EncryptionEncryption
EncryptionZeeshan Butt
 
Group Presentation Slide Week13
Group Presentation Slide Week13Group Presentation Slide Week13
Group Presentation Slide Week13Yorito Tamura
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresJose L. Quiñones-Borrero
 
wanna be h4ck3r !
wanna be h4ck3r !wanna be h4ck3r !
wanna be h4ck3r !Eslam El Husseiny
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementSam Bowne
 
Weaponization of IoT
Weaponization of IoTWeaponization of IoT
Weaponization of IoTJose L. Quiñones-Borrero
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCUJose L. Quiñones-Borrero
 
Hacking its types and the art of exploitation
Hacking its types and the art of exploitationHacking its types and the art of exploitation
Hacking its types and the art of exploitationShubhamChoudhary171
 
IWMW 1998: Server Management (3) Controlling access
IWMW 1998: Server Management (3) Controlling accessIWMW 1998: Server Management (3) Controlling access
IWMW 1998: Server Management (3) Controlling accessIWMW
 
Making a SOC Analyst
Making a SOC AnalystMaking a SOC Analyst
Making a SOC AnalystPaulAronhalt
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Metasploit
MetasploitMetasploit
MetasploitParth Sahu
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingSam Bowne
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleSam Bowne
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)Sam Bowne
 
BackStabber Special: Supply chain attacks
BackStabber Special: Supply chain attacksBackStabber Special: Supply chain attacks
BackStabber Special: Supply chain attacksKnoldus Inc.
 
Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Scot Berner
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementSam Bowne
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 

Mais conteúdo relacionado

Mais procurados

Group Presentation Slide Week13
Group Presentation Slide Week13Group Presentation Slide Week13
Group Presentation Slide Week13Yorito Tamura
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresJose L. Quiñones-Borrero
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementSam Bowne
 
Hacking its types and the art of exploitation
Hacking its types and the art of exploitationHacking its types and the art of exploitation
Hacking its types and the art of exploitationShubhamChoudhary171
 
IWMW 1998: Server Management (3) Controlling access
IWMW 1998: Server Management (3) Controlling accessIWMW 1998: Server Management (3) Controlling access
IWMW 1998: Server Management (3) Controlling accessIWMW
 
Making a SOC Analyst
Making a SOC AnalystMaking a SOC Analyst
Making a SOC AnalystPaulAronhalt
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingSam Bowne
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleSam Bowne
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)Sam Bowne
 
BackStabber Special: Supply chain attacks
BackStabber Special: Supply chain attacksBackStabber Special: Supply chain attacks
BackStabber Special: Supply chain attacksKnoldus Inc.
 
Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Scot Berner
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementSam Bowne
 

Mais procurados (20)

Encryption
EncryptionEncryption
Encryption
 
Group Presentation Slide Week13
Group Presentation Slide Week13Group Presentation Slide Week13
Group Presentation Slide Week13
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and Countermeasures
 
wanna be h4ck3r !
wanna be h4ck3r !wanna be h4ck3r !
wanna be h4ck3r !
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access Management
 
Weaponization of IoT
Weaponization of IoTWeaponization of IoT
Weaponization of IoT
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
 
Hacking its types and the art of exploitation
Hacking its types and the art of exploitationHacking its types and the art of exploitation
Hacking its types and the art of exploitation
 
IWMW 1998: Server Management (3) Controlling access
IWMW 1998: Server Management (3) Controlling accessIWMW 1998: Server Management (3) Controlling access
IWMW 1998: Server Management (3) Controlling access
 
Making a SOC Analyst
Making a SOC AnalystMaking a SOC Analyst
Making a SOC Analyst
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
Metasploit
MetasploitMetasploit
Metasploit
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring Rationale
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)
 
BackStabber Special: Supply chain attacks
BackStabber Special: Supply chain attacksBackStabber Special: Supply chain attacks
BackStabber Special: Supply chain attacks
 
Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
 

Semelhante a Overview of NSA Security Enhanced Linux - FOSS.IN/2005

Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
Single Sign-on Framework in Tizen
Single Sign-on Framework in TizenSingle Sign-on Framework in Tizen
Single Sign-on Framework in TizenRyo Jin
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinuxShay Cohen
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Defensive information warfare on open platforms
Defensive information warfare on open platformsDefensive information warfare on open platforms
Defensive information warfare on open platformsBen Tullis
 
The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007James Morris
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...James Morris
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux NetworkingJames Morris
 
Cassandra Lunch #90: Securing Apache Cassandra
Cassandra Lunch #90: Securing Apache CassandraCassandra Lunch #90: Securing Apache Cassandra
Cassandra Lunch #90: Securing Apache CassandraAnant Corporation
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.pptajajkhan16
 

Semelhante a Overview of NSA Security Enhanced Linux - FOSS.IN/2005 (20)

Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
Selinux
SelinuxSelinux
Selinux
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
 
Single Sign-on Framework in Tizen
Single Sign-on Framework in TizenSingle Sign-on Framework in Tizen
Single Sign-on Framework in Tizen
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
Defensive information warfare on open platforms
Defensive information warfare on open platformsDefensive information warfare on open platforms
Defensive information warfare on open platforms
 
The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux Networking
 
Cassandra Lunch #90: Securing Apache Cassandra
Cassandra Lunch #90: Securing Apache CassandraCassandra Lunch #90: Securing Apache Cassandra
Cassandra Lunch #90: Securing Apache Cassandra
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 

Mais de James Morris

Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 
Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSJames Morris
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlJames Morris
 
OLPC Networking Overview
OLPC Networking OverviewOLPC Networking Overview
OLPC Networking OverviewJames Morris
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004James Morris
 
SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008James Morris
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoMandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoJames Morris
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004James Morris
 
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoBetter IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoJames Morris
 
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007James Morris
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)James Morris
 

Mais de James Morris (13)

Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
 
Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFS
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access Control
 
OLPC Networking Overview
OLPC Networking OverviewOLPC Networking Overview
OLPC Networking Overview
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
 
SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoMandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004
 
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoBetter IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
 
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
 

Último

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 

Último (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 

Overview of NSA Security Enhanced Linux - FOSS.IN/2005

  • 1. Overview of NSA Security Enhanced Linux James Morris jmorris@namei.org FOSS.IN/2005 Bangalore, India
  • 2. What is SELinux? ● Fine­grained Mandatory Access Control (MAC) ● Strongly separated domains ● Provides confinement of: ● malicious code ● flawed code ● user error/intention ● Enforces least privilege ● Protects integrity ● Flexible policy
  • 3. Discretionary Access Control (DAC)  ● Traditional Unix security model ● DAC is inadequate: – Decisions only based on user identity and ownership – No protection against malicious or flawed software – Each user has complete discretion over own objects – Only two major categories of users: admin and other – Coarse­grained and too much privilege – Unbounded privilege escalation
  • 4. Mandatory Access Control (MAC) ● “Missing link” of security in general OSs ● Primary features: – Administratively­set security policy – Control over all processes and objects – Decisions based on all security­relevant information
  • 5. MAC Implementation ● Traditionally inflexible, maps poorly to general case ● More than just Multilevel Security (MLS): – Enforce integrity, least privilege ● Generalized MAC via Type Enforcement (TE) ● Transparent to applications ● Decompose administrator role ● Policy flexibility
  • 6. SELinux Framework ● Composition of several security models – Role­Based Access Control (RBAC) – Type Enforcement (TE) – Optional Multilevel Security (MLS) ● Separation of mechanism and policy ● Can support further models as required
  • 7. Type Enforcement (TE) ● Domains for processes, types for objects ● Control access to objects by domains ● Control interactions between domains ● Control entry into domains ● Bind domains to code
  • 8. Types ● Attributes assigned to objects and domains ● Things of the same type are security­equivalent ● Examples: – httpd_t (apache execution domain) – httpd_log_t (apache log files) – httpd_config_t (apache configuration files) – httpd_sys_content_t (web content)
  • 9. Type Enforcement Rules ● TE rules defined in policy ● Include object labeling, and access control rules ● Examples: • allow httpd_t httpd_log_t:file  { create ioctl read getattr lock append }; • allow httpd_t httpd_config_t:file { read getattr lock ioctl }; • allow httpd_t httpd_sys_content_t:file { read getattr lock ioctl };
  • 10. Role Based Access Control (RBAC) ● Roles are attributes assigned to domains, e.g. – sysadm_r – system_r – user_r ● Specifies domains that can be entered by each role ● Specifies roles that are authorized for each user ● Initial domain associated with each user role
  • 11. Current Status ● Merged into upstream kernel during 2.5 series ● Adopted by several distributions ● Targeted policy for network facing services ● Possibly millions of users ● Basic tools
  • 12. Current Development ● MLS for production use ● Certifications: LSPP, RBACPP at EAL4+ ● Multi­category Security (MCS) ● Reference policy ● Modular policy
  • 13. Future Developments & Participation ● Better tools – Policy development and analysis ● High level policy language ● Distributed security management – User management, policy distribution, logging ● Desktop ● Application­level
  • 14. More Future Developments... ● Networked filesystems ● Hardware security (TPM): – Verified boot – Integrity verification – Remote attestation – Trusted path ● Virtualization ● Cryptographic policy
  • 15. Resources ● NSA SELinux Pages http://www.nsa.gov/selinux/ ● SELinux for Distributions http://selinux.sourceforge.net/ ● Mailing Lists (see above) ● IRC: irc.freenode.net #selinux ● SELinux Symposium 2006 (Feb/Mar) http://www.selinux­symposium.org/
  • 16. Acknowledgments ● Much of the source material for these slides was  derived from existing NSA presentations: – http://www.nsa.gov/selinux/info/docs.cfm