JENNIS SHRESTHA
CSC 345
April 22, 2014
Contents
 Introduction
 History
 Flux Advanced Security Kernel
 Mandatory Access Control Policies
 MAC Vs DAC
 Features
 Distribution
 Conclusion
Introduction
 Security-Enhanced Linux(SELinux) is a Linux kernel
security module that provides the mechanism for
supporting access control security policies including
United States Department of Defense style mandatory
access controls (MAC).
 Implements Flux Advanced Security Kernel to bring
MAC into use in Linux.
History
 Original primary Developer – The United States
National Security Agency
 First version released on Dec 22, 2000
 Significant Contributors – Network Associates,
Red Hat, Secure Computing Corporation, Tresys
Technology and Trusted Computer Solutions
Flux Advanced Security Kernel
 Developed for Mach microkernel by NSA, the
University of Utah and Secure Computing
Corporation.
 Operating system security architecture that provides
flexible support for security policies.
 Open Solaris FMAC, TrustedBSD, NSA's SE Linux.
FLASK Mechanism
•Provides flexibility and coordinate subsystems
•Makes security decisions
•Evaluates requirements to take
decisions
•Monitors decisions over time
FLASK Mechanism
 Architecture provides interface for retrieving access,
labeling and polyinstantiation.
 Access Vector Cache module allows object manger to
cache access decisions to minimize overhead time.
 Architecture provides object manager to register
changes security policies.
Mandatory Access Control Policies
 Administrator can control and define users’ access to
resources.
 Users cannot modify or change the permissions and
access rights.
 Can be used to protect network, block ports and
sockets.
MAC Mehanism
MAC Vs DAC
MAC Vs DAC
 In DAC, security policies enforced can be easily
overridden
 Depends on ownership of the object and subject
identity.
 Many hacking issues.
Features
 Enforces clean separation of policy
 Independent of specific security label formats and
contents
 Increased efficiency because of caching of access
decisions
 Initialization, inheritance and program execution can
be controlled
 File systems, directories, files, and open file
description can be controlled
Distribution
•
•
•
•
•
•
Fedora Core 2
Debi an
Gentoo
SuSe
SE-BSD
SE-MACH
Conclusion
 More secure operating system
 Helps administrator to control over resource access
 Open source allows system to improve rapidly.
 Digitized materials are in safe hands.
References













Ray Spencer, Stephen Smalley,, Peter Loscocco, Mike Hibler, David Andersen, and , Jay Lepreau. "The
Flask Security Architecture: System Support for Diverse Security Policies." N.p., n.d. Web.
"Frequently Asked Questions." SELinux Frequently Asked Questions (FAQ). N.p., n.d. Web. 23 Apr.
2014. <http://www.nsa.gov/research/selinux/faqs.shtml#I2>.
"Security Enhanced Linux." Security-Enhanced Linux. N.p., n.d. Web. 23 Apr. 2014.
<http://www.nsa.gov/research/selinux/>.
"NB TE." - SELinux Wiki. N.p., n.d. Web. 23 Apr. 2014. <http://selinuxproject.org/page/NB_TE>.
"16.3. Explanation of MAC." 16.3. Explanation of MAC. N.p., n.d. Web. 23 Apr. 2014.
<http://www5.us.freebsd.org/doc/handbook/mac-initial.html>.
"Mandatory Access Control." What Is ? N.p., n.d. Web. 23 Apr. 2014.
<http://www.webopedia.com/TERM/M/Mandatory_Access_Control.html>
"Security-Enhanced Linux." Wikipedia. Wikimedia Foundation, 23 Apr. 2014. Web. 23 Apr. 2014.
<http://en.wikipedia.org/wiki/Security-Enhanced_Linux>.