Having recognized the need for additional security for commonly used and freely available operating systems, the NSA undertook development of Security Enhanced Linux. By integrating strong, flexible mandatory access control into Linux, overall system security has been improved. However, there is still more work that can be done to secure the user operating environment while still providing a usable workstation. By extending the SELinux security server to user-space applications such as the X Server, it becomes easier to apply a consistent security policy to the system as a whole.
By modifying the SELinux policy to place the X11 Server into a trusted domain, and by further permitting the Server to enforce policy upon X clients, it is possible to allow uses to run a graphical environment and still provide system integrity and to restrict information flow. Through a careful examination of the X protocol, this report describes which objects must be secured and which types of operations may be performed upon them. In this way, all communication between an X server and X clients can be intercepted and a security policy may be enforced.
This document defines the set of object classes within X11 that must be labeled and controlled in order to provide reasonable security over the X protocol. While the lists of permissions for these objects are quite extensive, after further experimentation and testing, it may be reasonable to combine some similar permissions and yield a smaller effective permission set.
Most X Server implementations allow for modular extensions to be loaded so that the Server functionality can be enhanced. This document does not address the issue of X Server extensions, but due to their similarity to Linux kernel modules, they can likely be handled in a similar manner. Like kernel extensions, it is difficult to know the exact contents of an extension, and what affect it will have on the system. For this reason, the decision to support modules and extensions is often binary; either all extensions are either permitted or not.