2009 09/03/2009 06/15/2009 56 The SELinux experience has greatly improved since SELinux's first appearance in distributions. Many people now run SELinux without even knowing, or even caring, that it exists. It still, however, has a reputation for being extremely complicated and heavy-weight, and very few people ever attempt to actually customize the SELinux policy to meet their specific security goals. While part of the perception of complexity is real and a consequence of the complexity of the typical modern system which SELinux is controlling, the policy infrastructure, which has grown organically over time, contributes to the problem by being brittle and inflexible, hampering efforts to add new features and hindering experimentation in such things as higher-level policy languages. If the SELinux experience is going to continue to improve, the policy infrastructure must be improved. A new architecture for the policy infrastructure has been designed and is being implemented. This architecture will support higher-level languages by providing a better intermediate language that provides more flexible and useful language abstractions to build higher-level language constructs. It will better support the use of additional tools (such as policy goal verifiers) during a policy build. It will allow for the separation of the distribution's policy from the local customizations of that policy. In general, this new architecture will eliminate the brittleness and inflexibility that is currently hindering improvements to SELinux. 06/15/2009