SELinux Frequently Asked Questions (FAQ)

Hello! Especially for students of the Linux Security course , we have prepared a translation of the official SELinux FAQ. It seems to us that this translation can be useful not only to students, so we share it with you.

We tried to answer some frequently asked questions about the SELinux project. Currently, the questions are divided into two main categories. All questions and answers are listed on the FAQ page .

Overview

Overview

1. What is Linux with improved security?
   Linux with enhanced security (SELinux - Security-enhanced Linux) is the reference implementation of the Flask security architecture for flexible, forced access control. It was created to demonstrate the usefulness of flexible enforcement mechanisms and how such mechanisms can be added to the operating system. The Flask architecture was subsequently integrated into Linux and ported to several other systems, including the Solaris operating system, the FreeBSD operating system, and the Darwin kernel, generating a wide range of related work. The Flask architecture provides general support for applying many types of enforcement access control policies, including those based on Type Enforcement, Role-based Access Control, and Multi-level Security concepts.
2. What does Linux provide with improved security that standard Linux cannot provide?
   The Linux kernel with enhanced security sets enforced access control policies that limit user programs and system servers to the minimum set of privileges they need to do their jobs. With this restriction, the ability of these user programs and system daemons to cause harm in the event of a compromise (for example, due to a buffer overflow or incorrect configuration) is reduced or eliminated. This restriction mechanism works independently of traditional Linux access control mechanisms. It does not have a “root” superuser concept and does not share the well-known flaws of traditional Linux security mechanisms (for example, dependency on binary setuid / setgid files).
   The security of an unmodified Linux system depends on the correctness of the kernel, all privileged applications, and each configuration. A problem in any of these areas can lead to a compromise of the entire system. On the contrary, the security of a modified system based on the Linux kernel with improved security depends primarily on the correctness of the kernel and the configuration of its security policy. Although problems with the correctness or configuration of applications may allow limited compromise of individual user programs and system daemons, they do not pose a security threat to other user programs and system daemons or the security of the system as a whole.
3. What is it good for?
   New features in Linux with improved security are designed to ensure information sharing based on confidentiality and integrity requirements. They are designed to prevent processes of reading data and programs, falsifying data and programs, bypassing application security mechanisms, running unreliable programs, or interfering with other processes in violation of the system’s security policy. They also help limit the potential damage that could be caused by malicious or incorrect programs. They should also be useful to ensure that users can use one system with different security permissions to access different types of information with different security requirements without compromising these requirements.
4. How do I get a copy?
   Many Linux distributions include SELinux support, already built in as a default function or as an optional package. The main user code for SELinux is available on GitHub . End users usually have to use the packages provided by their distribution.
5. What is included in your release?
   The NSA SELinux release includes the basic user SELinux code. SELinux support is already included in the mainstream Linux 2.6 kernel, available at kernel.org. The basic SELinux user code consists of a library for manipulating binary policy (libsepol), a policy compiler (checkpolicy), a library for security applications (libselinux), a library for policy management tools (libsemanage), and several policycoreutils related to policies.
   In addition to the kernel with SELinux support and the main userland code, you will need a policy and some fixes of user space under SELinux for using SELinux. Policies can be obtained from the SELinux reference policy project .
6. Can I install Linux with enhanced security on an existing Linux system?
   Yes, you can install only SELinux modifications on an existing Linux system, or you can install a Linux distribution that already includes SELinux support. SELinux consists of a Linux kernel with SELinux support, a core set of libraries and utilities, some modified user packages, and a policy configuration. To install it on an existing Linux system that does not have SELinux support, you must be able to compile the software, as well as other necessary system packages. If your Linux distribution already includes SELinux support, you don't need to build or install the NSA SELinux release.
7. How compatible is Linux with improved security with unmodified Linux?
   Linux with enhanced security provides binary compatibility with existing Linux applications and with existing Linux kernel modules, but some kernel modules may require modification to interact properly with SELinux. These two categories of compatibility are discussed in detail below:
   
   • Application compatibility
     SELinux provides binary compatibility with existing applications. We expanded the kernel data structures to include new security attributes, and added new API calls for security applications. However, we did not change any data structures visible to applications, and did not change the interface of any existing system calls, so existing applications can work without changes if the security policy allows them to work.
   • Kernel module compatibility
     Initially, SELinux provided initial compatibility only for existing kernel modules; it was necessary to recompile such modules using modified kernel headers in order to catch new security fields added to the kernel data structures. Since LSM and SELinux are now integrated into the mainstream Linux 2.6 kernel, SELinux now provides binary compatibility with existing kernel modules. However, some kernel modules may interact poorly with SELinux without modification. For example, if a kernel module directly allocates and sets up a kernel object without using normal initialization functions, then the kernel object may not have proper security information. Some kernel modules may also lack proper security controls for their operations; any existing calls to kernel functions or permissions functions will also run SELinux permission checks, but more detailed or additional controls may be required to enforce MAC policies.
     Linux with enhanced security should not create interoperability issues with normal Linux systems if all necessary operations are enabled by the security policy configuration.
8. What are the objectives of the example security policy configuration?
   At a high level, the goal is to demonstrate the flexibility and security of enforcement access controls and provide a simple, working system with minimal changes in applications. At a lower level, a policy has a number of objectives described in the policy documentation. These goals include managing raw data access, protecting the integrity of the kernel, system software, system configuration information and system logs, limiting the potential damage that could be caused by exploiting a vulnerability in a process that requires privileges, protecting privileged processes from running malicious code. Protecting the role of the administrator and domain from logging in without user authentication, preventing the interference of ordinary user processes in the system process Administrator’s processes, as well as protecting users and administrators from exploiting vulnerabilities in their browser with malicious mobile code.
9. Why was Linux chosen as the base platform?
   Linux was chosen as the platform for the initial reference implementation of this work due to its growing success and open development environment. Linux provides an excellent opportunity to demonstrate that this functionality can be successful in a host operating system and, at the same time, contribute to the security of a widely used system. The Linux platform also provides an excellent opportunity for this work to get the widest possible overview and may serve as a basis for additional security studies by other enthusiasts.
10. Why did you do this work?
    The National Security Agency's National Information Security Research Laboratory is responsible for the research and development of the technologies necessary for the NSA to provide information security solutions, products and services for the information infrastructures that are critical to US national security interests.
    Creating a viable, secure operating system remains an essential research task. Our goal is to create an efficient architecture, providing the necessary support for security, running programs that are largely transparent to the user and attractive to suppliers. We believe that an important step in achieving this goal is to demonstrate how the mechanisms for controlling access control can be successfully integrated into the main operating system.
11. How does this relate to previous NSA OS research?
    Researchers at the National Research Lab for Ensuring the Reliability of Information The NSA, in conjunction with the Secure Computing Corporation (SCC), developed a powerful and flexible architecture for enforcing access control based on Type Enforcement, a mechanism first developed for the LOCK system. The NSA and SCC developed two prototypes of Mach-based architectures: DTMach and DTOS ( http://www.cs.utah.edu/flux/dtos/ ). The NSA and SCC then worked with the Flux research team from the University of Utah to transfer the architecture to the Fluke research operating system. During this transfer, the architecture was refined to provide better support for dynamic security policies. This improved architecture was named Flask ( http://www.cs.utah.edu/flux/flask/ ). The NSA has now integrated the Flask architecture into the Linux operating system in order to transfer this technology to the wider community of developers and users.
12. Is Linux with improved security a reliable operating system?
    The phrase “Trusted operating system” usually refers to an operating system that provides sufficient support for multi-level protection and validation to match a specific set of government requirements. Linux with improved security includes useful ideas from these systems, but focuses on enforced access control. The initial task of developing Linux with improved security was to create useful functionality that provides tangible security benefits in a wide range of real-world environments to demonstrate this technology. SELinux itself is not a trusted operating system, but it provides a critical security feature — enforced access control — necessary for a trusted operating system. SELinux was integrated into Linux distributions, which were evaluated in accordance with the Labeled Security Protection Profile. Information on tested and verifiable products can be found at http://niap-ccevs.org/ .
13. Is she really protected?
    The concept of a secure system includes many attributes (for example, physical security, personnel security, and so on), and Linux with enhanced security addresses only a very narrow set of these attributes (that is, forced access controls in the operating system). In other words, “protected system” means sufficiently protected to protect some information in the real world from a real adversary, which the owner and / or user of the information is cautioned against. Linux with enhanced security is only intended to demonstrate the mandatory controls in a modern operating system, such as Linux, and therefore alone is unlikely to meet any interesting definition of a protected system. We believe that technology demonstrated in Linux with improved security will be useful to people who create secure systems.
14. What have you done to increase the guarantee?
    The goal of this project was to add push controls, with minimal changes to Linux. This latter goal severely limits what can be done to increase the guarantee, so there was no work aimed at increasing the guarantee of Linux. On the other hand, the improvements are based on previous work on developing a security architecture with a high degree of reliability, and most of these design principles are transferred to Linux with improved security.
15. Will CCEVS evaluate Linux with enhanced security?
    Linux with enhanced security in itself is not designed to solve the complete set of security problems represented by the security profile. Although it would be possible to evaluate only its current functionality, we believe that such an assessment would be of limited value. However, we worked with others to include this technology in Linux distributions, which were evaluated, and distributions that are in evaluation. Information on tested and verifiable products can be found at http://niap-ccevs.org/ .
16. Have you tried to fix any vulnerabilities?
    No, we did not search and did not find any vulnerabilities in the course of our work. We have just made enough to add our new mechanisms.
17. Is this system approved for government use?
    Security-enhanced Linux with improved security does not have special or additional permission for government use over any other version of Linux.
18. How is this different from other initiatives?
    Linux with enhanced security has a well-defined architecture for flexible, forced access control, which has been experimentally tested using several prototype systems (DTMach, DTOS, Flask). Detailed studies have been performed for the ability of the architecture to support a wide range of security policies and are available at http://www.cs.utah.edu/flux/dtos/ and http://www.cs.utah.edu/flux/flask/ .
    The architecture provides detailed control of many kernel abstractions and services that are not controlled by other systems. Some of the distinguishing features of a Linux system with enhanced security are:
    
    • Net separation of policy from application rights
    • Clearly defined policy interfaces
    • Independence from specific policies and language policies
    • Independence from specific formats and content security labels
    • Separate labels and controls for kernel objects and services
    • Caching access decisions for efficiency
    • Policy change support
    • Control of process initialization and inheritance and program execution
    • Manage file systems, directories, files, and open file descriptions
    • Socket, Message, and Network Interface Management
    • Control over the use of "Opportunities"
19. What are the licensing restrictions for this system?
    All source code found on https://www.nsa.gov is distributed under the same conditions as the original source code. For example, patches for the Linux kernel and patches for many existing utilities available here are released under the terms of the GNU General Public License (GPL) .
20. Is there export control?
    For Linux with enhanced security, there are no additional export controls compared to any other version of Linux.
21. Does the NSA plan to use it internally?
    For obvious reasons, the NSA does not comment on operational use.
22. Does the July 26, 2002 Secure Computing Corporation Statement change the NSA position that SELinux was granted under the GNU General Public License?
    The position of the NSA has not changed. The NSA continues to believe that the terms and conditions of the GNU General Public License govern the use, copying, distribution, and modification of SELinux. See NSA Press Release January 2, 2001 .
23. Does the NSA support open source software?
    NSA software security initiatives cover both proprietary and open source software, and we have successfully used both proprietary and open source models in our research activities. The work of the NSA in enhancing software security is motivated by one simple consideration: using our resources as efficiently as possible to provide NSA clients with the best possible security options in the most widely used products. The goal of the NSA research program is to develop technological advances that can be shared with the software development community through various transfer mechanisms. The NSA does not support or promote any specific software product or business model. Rather, the NSA promotes safety.
24. Does NSA support Linux?
    As noted above, the NSA does not support or promote any specific software product or platform; NSA only contributes to increased security. The Flask architecture, as demonstrated in the SELinux reference implementation, has been ported to several other operating systems, including Solaris, FreeBSD, and Darwin, ported to the Xen hypervisor and is applied to applications such as the X Window System, GConf, D-BUS, and PostgreSQL. Flask architecture concepts are widely applicable to a wide range of systems and environments.

Cooperation

1. How do we plan to interact with the Linux community?
   We have a set of web pages on NSA.gov that will serve as our primary way of publishing information about Linux with improved security. If you are interested in Linux with improved security, we recommend that you join the developer mailing list, view the source code and provide your feedback (or code). To join the developer mailing list, see the SELinux Developer Mailing List Page .
2. Who can help?
   SELinux is now supported and enhanced by the open source community of Linux software developers.
3. Does the NSA fund any follow-up work?
   Currently, the NSA is not considering proposals for further work.
4. What type of support is available?
   We intend to resolve issues through the mailing list selinux@tycho.nsa.gov, but we will not be able to answer all questions related to a specific site.
5. Who helped? What did they do?
   The Advanced Security Linux Prototype was developed by the NSA in conjunction with research partners from NAI Labs, the Secure Computing Corporation (SCC) and MITER Corporation. After the initial public release, many other materials followed. See the list of participants .
6. How can I find out more?
   We encourage you to visit our web pages, read documentation and past research papers, and also participate in our mailing list selinux@vger.kernel.org

Do you find translation useful? Write comments!