Projects hosted on oss.tresys.com
- CDS Framework IDE
- Certifiable Linux Integration Platform (CLIP)
- Policy Management Server
- Reference Policy
- SELinux Policy IDE (SLIDE)
- SETools Policy Analysis Suite
- The SELinux Project
Projects hosted on other sites
- SELinux Userspace
Other projects we help with in the security community
- SELinux Project
- SELinux Policy Server
SELinux Policy Server
As SELinux has matured it has become apparent that there are three important and much needed additional capabilities. First, there are only coarse grained, all or nothing permissions controlling changes and updates to the policy. A domain with permission to load a policy into a running system has permission to completely change the policy in arbitrary ways. This makes it difficult to securely divide pieces of the policy administration among several administrators for managing and controlling limited parts of the policy or create automated policy management tools. Second, there is a need for more robust support for user-space applications and daemons that integrate SELinux as a security model. This includes support for dynamically registering object classes and creating a scalable architecture for providing access control decisions. Finally, more infrastructure is needed for policy management, both local and networked. The recent policy module work begins to address some of the management issues, but more work is needed.
The solution to these challenges is a policy management and protection infrastructure, including an enhanced SELinux policy language and user-space policy management infrastructure. This infrastructure will manage and protect the policy, communicating with the SELinux kernel, user-space object managers, and eventually other other SELinux management applications over the network. The explicit goals for the policy server are:
- enforce fine-grained access control and delegation of policy access;
- support user-space object managers integrating SELinux support; and
- enable coherent administration of all policy, both locally and networked.
This project will attempt to solve these problems within the SELinux community for feedback and participation. The policy server will be an evolving application and the more community feedback we get the better the end result will be. This project is under active development with full time development staff from Tresys Technology. More Documentation will be added to this page in the near future.
Policy Management and Distribution
The current release is an early prototype of an infrastructure for managing the policy for a network of machines. See PmdPrototype for more information.
Policy Access Control
The current release demonstrates the servers capabilities to manage and enforce decisions on policy modifications. See the quickstart guide for information on the functionality of the server. We appreciate any testing that you can do but urge you not to use this in production. The binary policy built by this package will work on any SELinux system as the kernel format has not changed. The infrastructure for managing policies exists entirely in userspace and has not changed the kernel at all.