A New SELinux Policy Infrastructure*
This talk will discuss the requirements and design of a new SELinux policy infrastructure. It is hoped that this talk will lead to the SELinux community validation of the requirements, acceptance of the new architecture, and a plan to replace the old infrastructure.
The SELinux experience has greatly improved since SELinux’s first appearance in distributions. Many people now run SELinux without even knowing, or even caring, that it exists. It still, however, has a reputation for being extremely complicated and heavy-weight, and very few people ever attempt to actually customize the SELinux policy to meet their specific security goals. While part of the perception of complexity is real and a consequence of the complexity of the typical modern system which SELinux is controlling, the policy infrastructure, which has grown organically over time, contributes to the problem by being brittle and inflexible, hampering efforts to add new features and hindering experimentation in such things as higher-level policy languages. If the SELinux experience is going to continue to improve, the policy infrastructure must be improved.
A new architecture for the policy infrastructure has been designed and is being implemented. This architecture will support higher-level languages by providing a better intermediate language that provides more flexible and useful language abstractions to build higher-level language constructs. It will better support the use of additional tools (such as policy goal verifiers) during a policy build. It will allow for the separation of the distribution’s policy from the local customizations of that policy. In general, this new architecture will eliminate the brittleness and inflexibility that is currently hindering improvements to SELinux.
National Security Agency
James Carter is a member of the Security Enhanced Linux development team
at the National Security Agency, and has been performing computer
security research and development for the NSA’s Information Assurance
Research Group since 2002.