Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM) in the Linux kernel, based on the principle of least privilege. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.
What is SELinux?
A kernel level MAC (Mandatory Access Control) implementation for Linux
MultiLevel Security support enhanced and mainstreamed.
Audit system enhanced and increasingly integrated.
RHEL5 entered into evaluation against CAPP (Controlled Access Protection Profile), LSPP (Labeled Security Protection Profile) , and RBAC (Role Based Access Control) with SELinux coverage.
Loadable policy modules, build and package policy modules separately.
Policy management API (libsemanage)
Improved support for policy development: Polgen, SEEdit, SLIDE, CDS Framework.
Atomic labeling of new files.
File security labels visible for all filesystems exactly as seen by SELinux.
Major improvements in SMP scalability.
Significant reduction in kernel memory use by policy.
National Security Administration
Researchers in the Information Assurance Research Group of the National Security Agency (NSA) worked with Secure Computing Corporation (SCC) to develop a strong, flexible mandatory access control architecture based on Type Enforcement, a mechanism first developed for the LOCK system. The NSA and SCC developed two Mach-based prototypes of the architecture: DTMach and DTOS. The NSA and SCC then worked with the University of Utah's Flux research group to transfer the architecture to the Fluke research operating system. During this transfer, the architecture was enhanced to provide better support for dynamic security policies. This enhanced architecture was named Flask. The NSA has now integrated the Flask architecture into the Linux operating system to transfer the technology to a larger developer and user community.
- NSA Website
What’s the point?
Primarily for Government
Systems containing certain classifications of data are required to run under a MAC solution.
Required for/on many government contracts
Helps with audits
Though not necessary, a MAC solution can make many of today’s corporate audits MUCH easier.
Subject: A domain or process.
Object: A resource (file, directory, socket, etc.).
Types: A security attribute for files and other objects.
Roles: A way to define what “types” a user can use.
Identities: Like a username, but specific to SELinux.
Contexts: Using a type, role and identity is a “Context.”