Conclusions

The integration of mandatory access controls into Linux is necessary in order to allow secure systems to be built with Linux. Since no single security model is suitable for all purposes, a general-purpose solution must be sought. SELinux has many of the properties that should be considered for general-purpose security architecture.

SELinux is a comprehensive and flexible system with a well-defined MAC architecture that has been validated through several prototypes. It cleanly separates policy decisions from their enforcement using general interface. It provides support for policy changes and is independent of policy, policy languages, and labeling formats. It has individual labels and controls for kernel objects and services allowing fine-grained control over such abstractions including: file systems, directories, files, open file descriptions, sockets, messages, network interfaces, and use of capabilities. Additionally, SELinux has configurable default behavior that allows the security mechanisms to function transparently to applications.

The security model chosen for the prototype SELinux security server has proven to be a very effective model for security. Using its combination of IBAC, RBAC and TE, the SELinux security server provides flexible support for a wide range of security policies. With it, it is possible to configure the system to meet many security requirements. The flexibility of SELinux, allows the security server to be modified or replaced as needed without impacting the rest of the kernel.

The example security policy configuration released with SELinux serves as an example how a number of important security objectives may be met using the prototype's security model. The flexibility of the security policy mechanism attained through the configuration files enables the policy to be easily modified and extended allowing customization as might be required required for any given installation. Hence, many security policies can be supported with the same base system.

Type Enforcement has proven a valuable security policy abstraction that has made the SELinux prototype a better system. Its advantages over the traditional approaches to MAC have led to a security policy that better protects the system. The potential that the TE access matrix could become quite complex is a possible downside to TE, but the benefits that TE offers should far outweigh this. Experience with SELinux shows that a realistic policy can be constructed that greatly improves security. Complexity can be managed through the distribution of base security policies with the system that allow individual installations to customize the policy as needed rather than start from scratch. Complexity can be further managed through policy specification language enhancements and the development of policy specification and analysis tools.

The SELinux prototype is very much a work in progress. SELinux was never intended to be a complete secure system. Instead, its intent was to serve as an example of how strong, flexible MAC could be added to a mainstream operating system to greatly improve the security of the system. SELinux succeeds in doing this for Linux. The Linux Security Module project [2] is an important effort to bring MAC to Linux. Success in its goal of creating the general security interface for the Linux kernel will enable Linux users to realize not only the security benefits of SELinux but also those from other security projects.