Securing The X Window System With SELinux

Doug Kilpatrick

NAI Labs

Wayne Salamon

NAI Labs

Chris Vance

NAI Labs

Table of Contents
Overview of the X Architecture
Threats and Security Concerns
Security Architecture for the X Protocol
Security-Aware Applications


The X Window System, or `X11', has become the standard graphical engine for the Unix and Linux operating systems. Its network-based design and platform independent support for a wide range of operating systems and hardware has contributed greatly to its acceptance. [XOrgIntro]

The X protocol was designed with compatibility and performance in mind, not security. However, since the X protocol is a constrained channel of communication, it enables the enforcement of a security policy While there has been quite a bit of research done in the past to secure X11, many solutions are specific to the government's Multi-Level Security (MLS) model, and are not in widespread use.

NSA Security-Enhanced Linux (SELinux) [SELinux]. is an implementation of Flask, a flexible and fine-grained mandatory access control (MAC) architecture [FlaskArch]. SELinux can enforce an administratively defined security policy over all processes and objects in the system, basing decisions on labels containing a variety of security-relevant information. The architecture provides flexibility by cleanly separating the policy decision-making logic from the policy enforcement logic. The policy decision-making logic is encapsulated within a single component, known as the security server, with a general security interface. A wide range of security models can be implemented as security servers without requiring any changes to any other component of the system. The design and implementation of the SELinux prototype is described in [LoscoccoFreenix2001] and [LoscoccoNSATR2001], both of which can be found at the NSA SELinux web site.

On a current SELinux system, applications can use the X server as an additional communications vector, unregulated by the system policy. In addition, applications can manipulate the X server to attack other client applications, or to mislead the user. By running the X Server on an SELinux system, and by extending the FLASK architecture to allow the X Server to act as a trusted application, the security of the user operating environment should be enhanced.

This paper assumes familiarity with the Flask architecture and its Linux implementation. The paper starts with an overview of the X11 architecture and desirable security functionality. the Section called Security Architecture for the X Protocol lists the object classes that will need to be labeled, the permissions those object classes support, and the control requirements for each of the X11 protocol operations. The security features for error and event processing are then described in the Section called Handling Errors and the Section called Events. Finally, the Section called Security-Aware Applications discusses security-aware applications.