First page Back Continue Last page Overview Text
Reference implementation of Flask architecture for flexible MAC in Linux – cleanly separates policy from enforcement, well-defined policy interfaces, support for policy changes, fine-grained controls, caching. Supports policy flexibility.
Integrated into the major subsystems of the Linux kernel, covering process, file, socket/networking, System V IPC, etc.
Introduces abstractions of "object classes" and "permissions" for kernel objects and operations.
Maintains security labels on all processes and objects. Called "security contexts", include all security-relevant attributes. File security contexts stored as extended attributes associated with the inode on the disk.
On an attempted access to a kernel object, consults a policy engine to determine whether access is permitted based on security contexts of the process and object.