Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM) in the Linux kernel, based on the principle of least privilege. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD. | SELinux SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM) in the Linux kernel, based on the principle of least privilege. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD. SELinux What is SELinux? A kernel level MAC (Mandatory Access Control) implementation for Linux Originally commissioned and built by/for the NSA A head-ache for the uninitiated Very effective if done right Not the usual case BTW One of three well known MAC implementations Trusted Solaris Mainframe “Top Secret” and RACF. Top Secret is a product of Computer Associates RACF – Resource Access Control Facility RACF is the access control system used by IBM on its mainframe line of computers SELinux Access Control Philosophies MAC: Mandatory Access Control Cannot be worked around I own it, not you. Ex: Directory . | SELinux SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM) in the Linux kernel, based on the principle of least privilege. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD. SELinux What is SELinux? A kernel level MAC (Mandatory Access Control) implementation for Linux Originally commissioned and built by/for the NSA A head-ache for the uninitiated Very effective if done right Not the usual case BTW One of three well known MAC implementations Trusted Solaris Mainframe “Top Secret” and RACF. Top Secret is a product of Computer Associates RACF – Resource Access Control Facility RACF is the access control system used by IBM on its mainframe line of computers SELinux Access Control Philosophies MAC: Mandatory Access Control Cannot be worked around I own it, not you. Ex: Directory “Secret” is owned by “Agent”. “Agent” does not have authority to grant access to others. Only the “Owner” does. DAC: Discretionary Access Control It’s yours, do what you will. Same example: “Agent” can grant access to whomever she cares. RBAC: Role Based Access Control Depending on what your role is, maybe. If “Agent” has the correct Role, she can, otherwise she can’t. SELinux SELinux past tense. Auditing and reporting support very limited and poorly integrated in SELinux. One big ugly policy. No decent interface for managing policies. SLIDE (new tool) Building policies was a flat file hack style. Fresh files got no label. You had to comb the system to find and label them manually. Poor scalability with SMP. SELinux Recent improvements. FC4 policy now has over 120 confined domains, updates in Hardened Gentoo, and support being mainstreamed into Debian. MultiLevel Security support enhanced and mainstreamed. Audit system enhanced and increasingly integrated. RHEL5 entered into