SELinux Protected Paths Revisited
نویسنده
چکیده
We revisit the notion of achieving a protected communication path for applications connected via the Internet using SELinux. Last year, we discussed the mechanism for integrating IPsec with SELinux security labels, but we did not consider the system goals for using such labels. Toward this end, we revisit early SELinux proposals for what is called a protected path. A protected path is a secure communication path that has the same security guarantees as if the two ends are directly connected on a trusted platform and mutually authenticated. If a protected path can be constructed over the Internet in a reliable manner, then distributed applications can be as secure as two applications running on the same, isolated environment. A variety of challenges remain in building a protected path system, but interestingly, efforts are underway in most areas, with the notable exception of secure windowing systems. This talk will outline an approach to protected paths in the context of a distributed computing example, what work is underway toward achieving protected paths, and what is required of that work to compose protected paths with SELinux.
منابع مشابه
Analyzing Integrity Protection in the SELinux Example Policy
In this paper, we present an approach for analyzing the integrity protection in the SELinux example policy. The SELinux example policy is intended as an example from which administrators customize to create a policy for their site’s security goals, but the complexity of the model and size of the policy make this quite complex. Our aim is to provide an access control model to express site securi...
متن کاملCommunication Strategies Revisited: Looking beyond Interactional and Psycholinguistic Perspectives
Second language (L2) communication strategies (CSs) have traditionally been dealt with through either interactional or psychological perspectives. However, this paper is a critical attempt to question the status of the particular kinds of psycholinguistic and interactional approaches that currently dominate the field of second language acquisition (SLA). In this way, it expands the significance...
متن کاملTowards Intuitive Tools for Managing SELinux: Hiding the Details but Retaining the Power
The details of the SELinux access control mechanisms lead to the perception that SELinux is too complex for non-expert users to manage. We present techniques that bridge the gap between the comprehensive, low-level SELinux access controls and the intuitive, high-level abstractions familiar to system administrators. These techniques shield the user from SELinux implementation details without sac...
متن کاملRegion Analysis for Race Detection
Automatic race detection of C programs requires fast, yet sufficiently precise, analysis of dynamic memory. Therefore, we present a region-based pointer analysis which seeks to identify disjoint regions of dynamically allocated objects to ensure that write accesses to the same region are always protected by the same mutexes. Our approach has been implemented within the interprocedural analyzer ...
متن کاملSELinux and MLS: Putting the Pieces Together
Multi-Level Security (MLS) has been implemented on many different operating systems. We will discuss the reasons and motivations behind the improvements to the MLS model in SELinux that were accepted into the 2.6.12 Linux Kernel. An introduction to SELinux MLS representation, policy creation, and integration is provided to help further the adoption and use of this technology.
متن کامل