PolicyModules - Policy Management Server - Trac

Wiki Navigation

TracNav menu

Tresys Open Source Projects
Home
Security Enhanced Linux (SELinux)
SELinux Reference Policy
SETools Policy Analysis Suite
SELinux Policy IDE (SLIDE)
CDS Framework IDE
Policy Management Server
Certifiable Linux Integration Platform (CLIP)
Secure IPC Library

SE Linux Loadable Policy Modules

Overview

As a result of the increased integration of SELinux into distributions, the need for a robust policy management infrastructure has become clear. This policy management infrastructure should help administrators and policy authors dynamically deploy, update, and modify SELinux policies in a secure and convenient manner. Loadable policy modules attempt to address this need.

SELinux currently has only limited and ad-hoc support for the modification of its security policy on production systems. All policy changes must be made to the policy source and the entire policy re-compiled, requiring that a full set of policy development tools be installed on production systems. This makes policy changes, including minor changes like adding a user or role, difficult for both administrators and automated tools.

In contrast, loadable policy modules allow for the creation of self-contained policy modules that can be safely linked together without a development environment to create a single system policy. This infrastructure consists of two main components: the policy development tools and the policy module management infrastructure. The policy development tools allow policy authors to create policy modules, including the special base module that forms the core of the system policy. The policy management infrastructure manages the loadable policy components and handles loading the combined base module and modules into the kernel. It is similar in some ways to Linux package management systems like RPM. The main goals of loadable policy modules are:

Ease policy maintenance by allowing administrators to add loadable policy modules, including file system labeling information, for additional application support, users, and roles.
Reduce the resource requirements for policy management on SELinux systems by removing the need for a policy development environment. This is particularly important on resource constrained systems, including embedded platforms.
Allow policy writers to create a policy that is loosely coupled to the overall policy, allowing a single policy module to work with multiple base policies.
Create an infrastructure to manage the modification of the policy with loadable modules to maintain a consistent overall security policy at all times.

A presentation on this work was given at the 2005 SELinux Symposium by Karl MacMillan, it is available here.

Current Release

All module library changes and tools are now in the mainline tree.

Attachments

2-PolicyManagement.pdf (1.2 MB) - added by ccase on 09/22/06 15:11:33.

Download in other formats:

Plain Text

* Generating other formats may take time.