Skip Research Menus
The following organizations and individuals have contributed to the
Security-enhanced Linux project. The listing of
contributors is partitioned into two lists:
- a list of the original four organizations that contributed to the
initial public release of SELinux,
- a list of external individuals and organizations that have
contributed to SELinux since that initial release.
The Original Contributors
- The National Security Agency (NSA)
- Researchers in NSA's National Information Assurance Research
Laboratory (NIARL) designed and implemented flexible mandatory access
controls in the major subsystems of the Linux kernel and implemented
the new operating system components provided by the Flask
architecture, namely the security server and the access vector cache.
The NSA researchers reworked the LSM-based SELinux for inclusion in
Linux 2.6. NSA has also led the development of similar controls for the X Window System (XACE/XSELinux) and for Xen (XSM/Flask).
- Network Associates Laboratories (NAI Labs)
- The Secure Execution Environments group of NAI Labs
implemented several additional kernel mandatory access controls,
developed the example security policy configuration, ported to the
Linux 2.4 kernel, contributed to the development of the Linux
Security Modules kernel patch, and adapted the SELinux prototype to LSM.
- The MITRE Corporation
- The MITRE Corporation enhanced several common utilities to be
SELinux-aware and developed application security policies
and documentation for the Apache web server, Sendmail, and crond. They
also developed a policy analysis tool (SLAT) and a policy generation
- Secure Computing Corporation (SCC)
- Secure Computing Corporation developed a preliminary security
policy configuration for the system that was used as a starting point
for NAI Labs' configuration. They also developed several new or
External Contributors to SELinux
- Matt Anderson
- Matt Anderson of HP developed support for labeled printing in the
- Ryan Bergauer
- Ryan Bergauer contributed the original policy configuration for Samba.
- Bastian Blank
- Bastian Blank contributed several code cleanups and 64bit fixes for
checkpolicy and libselinux (joint with Joerg Hoh.)
- Thomas Bleher
- Thomas Bleher contributed several new policy files and many
policy patches. He also contributed a patch for audit2allow.
He also adapted the policy configuration for SuSE Linux, and
ported and packaged the SELinux userspace packages for
SuSE Linux (no longer being maintained).
- Joshua Brindle
- Joshua Brindle originally ported and packaged SELinux for the
Hardened Gentoo project along with Chris PeBenito, and contributed
several enhancements to the SELinux userland. Since joining Tresys
Technology, Joshua has helped to develop the loadable policy
module support, hierarchical type support, and the policy management server.
Joshua is one of the maintainers of the core SELinux userland.
- Russell Coker
- Russell Coker originally ported and packaged SELinux for Debian,
and made several enhancements to the SELinux userland. Russell was
the largest single external contributor to the example policy
- John Dennis
- John Dennis of Red Hat developed the setroubleshoot tool for
troubleshooting SELinux denials.
- Janak Desai
- Janak Desai of IBM developed pam_namespace support for polyinstantiated
directories and the original form of multi-level crond support.
- Ulrich Drepper
- Ulrich Drepper contributed several patches to optimize and improve
libselinux, including reworking the string table generation for the
Flask definitions. He provided input and feedback on the SELinux
patch for nscd and on the controls over executable memory.
- Lorenzo Hernandez Garcia-Hierro
- Lorenzo Hernandez Garcia-Hierro developed the execstack and execheap
permission checks for controlling specific forms of executable memory
based on input by Roland McGrath, Ulrich Drepper, and Ingo Molnar.
- Darrel Goeddel
- Darrel Goeddel of Trusted Computer Solutions was one of the
developers of the MLS enhancements to SELinux. Darrel also
contributed other fixes and enhancements to the SELinux kernel and
userland, and helped develop support for context based audit filtering.
- Carsten Grohmann
- Carsten Grohmann contributed the original policy configuration for
Amanda, and several patches to other policy files.
- Steve Grubb
- Steve Grubb of Red Hat helped integrate SELinux with audit,
contributed cleanup patches for pam_selinux, libselinux, enhanced the
boolean utilities and sestatus utility, and improved the checking in
the libselinux AVC netlink code.
- Ivan Gyurdiev
- Ivan Gyurdiev developed support for managing and manipulating
non-module policy components in libsepol, libsemanage and
policycoreutils. He also contributed a number of patches to provide
better abstraction and organization in libsepol. He contributed
several policy cleanups and improvements, including the
access_terminal macro, proper marking of shared objects that require
text relocations, the mplayer policy, desktop policy, etc.
- Serge Hallyn
- Serge Hallyn of IBM contributed a number of bug fixes and cleanups
to the SELinux userland and was one of the developers of the original
labeled IPSEC implementation for SELinux.
- Chad Hanson
- Chad Hanson of Trusted Computer Solutions was one of the
developers of the MLS enhancements to SELinux. He also contributed
several fixes and enhancements for the policy compiler, such as
node context and role dominance ordering, and various improvements to the
SELinux userland and kernel code.
- Joerg Hoh
- Joerg Hoh contributed several code cleanups and 64bit fixes for
checkpolicy and libselinux (joint with Bastian Blank.)
- Trent Jaeger
- Trent Jaeger of IBM (now at Penn State University) led the development
of the original labeled IPSEC implementation.
- Dustin Kirkland
- Dustin Kirkland of IBM helped develop support for auditing of SELinux
- Kaigai Kohei
- Kaigai Kohei of NEC replaced the original Access Vector Cache
(AVC) locking scheme with a RCU-based approach, which solved the major
SELinux kernel scalability problem, and fixed other locking issues in
the SELinux kernel code. He later optimized the SELinux ebitmap
implementation to improve performance on AVC misses. He also
developed SE PostgreSQL, and is one of the developers for the SE
- Paul Krumviede
- Paul Krumviede contributed to the original IPSEC policy configuration.
- Joy Latten
- Joy Latten of IBM modified IPSEC tools for labeled IPSEC, and
developed policy for labeled IPSEC. Joy also ported the SELinux
testsuite to the LTP.
- Tom London
- Tom London contributed several policy patches and a fix for the
- Karl MacMillan
- Karl MacMillan of Tresys Technology helped in developing the
SETools policy analysis suite, the conditional policy (boolean)
support and the loadable module support. Karl also developed
the SEPolgen python module for policy generation. Karl
served as one of the maintainers of the SELinux core userland.
- Brian May
- Brian May contributed several new domains and patches to the policy
configuration. He back ported Russell Coker's work to Debian stable (woody)
and maintained it.
- Frank Mayer
- Frank Mayer of Tresys Technology originally introduced policy to
support policy management, contributed extensions to the policy
compiler, and helped in developing conditional policy support.
He was one of the original developers of the SETools policy analysis
- Todd Miller
- Todd Miller of Tresys Technology helped to develop the final
versions of the genhomedircon rewrite in libsemanage and the policy
capability support in the policy compiler toolchain. Todd is one of
the maintainers of the core SELinux userland.
- Roland McGrath
- Roland McGrath of Red Hat provided input and feedback on the AT_SECURE
support, inheritance controls on execve, and controls over executable
- Paul Moore
- Paul Moore of HP developed the NetLabel explicit packet labeling
framework, including the support for using the Commercial IP Security
Option with IPv4. He is the maintainer of the labeled networking
implementation in Linux. He also developed the kernel support for a
mechanism to allow SELinux controls to be extended in a backward
compatible manner, and has worked on enhancing and unifying the
network access controls.
- James Morris
- James Morris of Red Hat is a maintainer for the SELinux kernel code.
He originally developed the LSM networking hooks and the first labeled
networking implementation for SELinux (Selopt). He has developed
a number of enhancements to SELinux, including new network access controls,
the original context mount support, getpeercon support, SECMARK, etc.
- Yuichi Nakamura
- Yuichi Nakamura of Hitachi Software optimized the SELinux kernel
code to reduce memory usage and to reduce read/write overhead, and he
introduced an embedded build option for the SELinux userland. He
was one of the developers for busybox SELinux support. He
contributed the original policy configuration for BIND.
- Greg Norris
- Greg Norris contributed several new policy files and policy patches.
- Eric Paris
- Eric Paris of Red Hat is one of the maintainers of the SELinux
kernel code and has contributed several enhancements to SELinux,
including the sockcreate API, improved handling of the context mount
options, handling of unknown classes and permissions, and protection
for null derefs.
- Chris PeBenito
- Chris PeBenito originally worked with Joshua Brindle on porting
and packaging SELinux for the Hardened Gentoo project. Chris is the
SELinux team leader for Hardened Gentoo. At Tresys Technology, Chris
developed and maintains the reference policy, which replaced the
original NSA example policy. Chris has also contributed enhancements
for the SELinux userland and kernel code, including the object class
and permission discovery mechanism.
- Red Hat
- Red Hat has integrated full SELinux support into both its
community-based Fedora distribution and its Red Hat Enterprise Linux
distribution. This work included integration of the upstream SELinux
into the distribution as well as the creation of SELinux-aware package
management and other userspace support for SELinux, extensive policy
work to address all applications in the distribution, and administrative
tool support for SELinux. Red Hat has contributed back numerous
enhancements to the SELinux kernel code, userland, and policy to
the SELinux community.
- Petre Rodan
- Petre Rodan contributed several new policy files and many policy patches.
- Shaun Savage
- Shaun Savage helped in porting several of the SELinux utility patches to
newer Red Hat base versions, and he contributed several domains to the
example policy configuration.
- Chad Sellers
- Chad Sellers of Tresys Technology prototyped the polyinstantiated
directory mechanism and developed the new kernel validation mechanism for
checking class and permission definitions.
- Rogelio Serrano Jr.
- Rogelio Serrano Jr. contributed a patch to the SELinux security
module to support automatic type transitions for pts nodes in
devfs prior to the transition to udev.
- Justin Smith
- Justin Smith contributed a domain for ipchains, some patches to the
existing policy configuration, and the initial version of the
newrules script (later renamed to audit2allow).
- Manoj Srivastava
- Manoj Srivastava contributed to the SELinux userland, wrote the
SELinux UML HOWTO, developed SELinux support for xdm, packaged the
SELinux userland for Debian, and worked on SELinux integration into
Debian for the etch release.
- Tresys Technology
- Tresys Technology developed the support for conditional policy
(booleans), loadable policy modules, and policy management
infrastructure. Tresys developed and maintains the reference policy,
which replaced the original NSA example policy. Tresys has also
developed and maintains a number of policy tools and frameworks,
including the original SE Tools policy analysis suite, the SELinux
Policy IDE (SLIDE), and the Cross Domain Solution (CDS) Framework
- Michael Thompson
- Michael Thompson of IBM enhanced newrole to support pam_namespace and
rewrote most of newrole.
- Trusted Computer Solutions
- Trusted Computer Solutions (TCS) developed enhanced MLS support,
enhanced audit support, and dynamic context transition support. TCS
also significantly enhanced and improved the labeled IPSEC support,
and provided assistance with designing forwarding controls. TCS
contributed a number of fixes and enhancements to the SELinux kernel
and userland code.
- Tom Vogt
- Tom Vogt developed patches for the Apache and MySQL policies,
and developed a SubVersion policy.
- Reino Wallin
- Reino Wallin of Oribium Labs contributed some patches to the network
- Dan Walsh
- Dan Walsh of Red Hat ported the original SELinux userspace patches
to the 2.6 SELinux API and to the Fedora Core packages. He is the
maintainer of the targeted policy, and has contributed many policy
files and fixes to the strict and targeted policies. He has
developed SELinux patches for many additional userspace packages.
He developed the system-config-selinux GUI.
- Colin Walters
- Colin Walters contributed build patches and cleanups for
the 2.6-based SELinux, enhanced chcon to accept individual
field options, enhanced setfiles to validate contexts against
a binary policy, and contributed the policy regression testing
patch and package metadata patch. He also enhanced the SELinux
patch for dbusd and developed policy for dbusd.
- Mark Westerman
- Mark Westerman contributed several domains to the example policy
configuration, and he developed the default user patch for Linux users
who do not need to be distinguished by the SELinux policy.
- David A. Wheeler
- David A. Wheeler contributed several new domains to the policy
configuration, provided feedback on the existing configuration, and
made a number of helpful suggestions for improving the SELinux
- Venkat Yekkirala
- Venkat Yekkirala of Trusted Computer Solutions enhanced the
labeled IPSEC mechanism and helped design more comprehensive network
access controls, including forwarding controls.
- Catherine Zhang
- Catherine Zhang of IBM developed interfaces for obtaining peer and
datagram labels for labeled IPSEC.
Linux is a registered trademark of Linus Torvalds
MITRE is a registered trademark of The MITRE Corporation
NAI is a trademark of Networks Associates Technology, Inc.
Red Hat is a registered trademark of Red Hat, Inc. in the US and other countries.
IBM is a registered trademark of International Business Machines Corporation.
HP is a registered trademark of Hewlett-Packard Development Company, L.P.
Secure Computing is a registered trademark of Secure Computing Corporation