Submitted to SELinux Symposium 2007

Application of the Flask Architecture to the X Window System Server

Eamon F. Walsh National Information Assurance Research Laboratory National Security Agency ewalsh@tycho.nsa.gov

Abstract:

This paper will outline the progress that has been made on extending the coverage of Security-Enhanced Linux access controls to the X Window System server, a major component of the Linux desktop. This has been accomplished by applying the Flask architecture to the X server and extending the reach of SELinux policy to cover X server objects. Modifications have been made to both SELinux library and the X.Org X server implementation in support of this goal. In the SELinux library, improved capabilities for obtaining policy decisions from the kernel were added. In the X server, a set of general security hooks was added, followed by a Flask module which makes use of them. This module extends the enforcement of kernel-based security policy to the X server in userspace, providing fine-grained access and information flow control to this vital desktop component using the existing SELinux policy store and toolchain.