Open Source Software at Tresys


This is an archived project which is no longer maintained by Tresys.
Please visit our Open Source Software index page for a directory of our active projects.

SELinux Policy Server

Overview

As SELinux has matured it has become apparent that there are three important and much needed additional capabilities. First, there are only coarse grained, all or nothing permissions controlling changes and updates to the policy. A domain with permission to load a policy into a running system has permission to completely change the policy in arbitrary ways. This makes it difficult to securely divide pieces of the policy administration among several administrators for managing and controlling limited parts of the policy or create automated policy management tools. Second, there is a need for more robust support for user-space applications and daemons that integrate SELinux as a security model. This includes support for dynamically registering object classes and creating a scalable architecture for providing access control decisions. Finally, more infrastructure is needed for policy management, both local and networked. The recent policy module work begins to address some of the management issues, but more work is needed.

The solution to these challenges is a policy management and protection infrastructure, including an enhanced SELinux policy language and user-space policy management infrastructure. This infrastructure will manage and protect the policy, communicating with the SELinux kernel, user-space object managers, and eventually other other SELinux management applications over the network. The explicit goals for the policy server are:

This project will attempt to solve these problems within the SELinux community for feedback and participation. The policy server will be an evolving application and the more community feedback we get the better the end result will be. This project is under active development with full time development staff from Tresys Technology. More Documentation will be added to this page in the near future.

Archived Release

Policy Management and Distribution

The current release is an early prototype of an infrastructure for managing the policy for a network of machines.

Policy Access Control

The current release demonstrates the servers capabilities to manage and enforce decisions on policy modifications. See the quickstart guide for information on the functionality of the server. We appreciate any testing that you can do but urge you not to use this in production. The binary policy built by this package will work on any SELinux system as the kernel format has not changed. The infrastructure for managing policies exists entirely in userspace and has not changed the kernel at all.


Downloads

Policy Management and Distribution

Interim prototype pmd-interim.tar.bz2

Policy Server (Policy Access Control)

via Source

Download selinux-pms-support

It contains the patches needed to support networking. The patches were created using Quilt. To apply the patches with quilt:

> cd selinux-pms-support
> quilt push -a

After the patches have been applied follow the normal installation directions described in the README file.

Optionally check out the Refpolicy branch:

Download refpolicy-pms-support

It contains patches to enable the use of metapolicy as well as a sample use case. The patches were created using Quilt. To apply the patches with quilt:

> cd refpolicy-pms-support
> quilt push -a

After the patches have been applied follow the normal installation directions described in the README file.

Check out the PMS branch:

Download trunk-pms

Follow the instructions in the INSTALL file.