Security enhanced linux

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract

Security Enhanced Linux or SELinux which is a part of the NSA open source Security Enhanced Linux project. This project deals with setting up of SELinux policies and protecting the system with policies for software creating their domain and securing the system against any fault in the software/0 Day Vulnerability or any attack against the system/Hacking Attempt.

Acknowledgements

I would like to thank my former supervisor Dr. Diane Gan and current supervisor Dr. Alan Soper for all of their support during the implementation of this project and taking time out of their busy schedules.

I would also like to thank Dr. Mariusz Pelc, for his support and immense help in setting-up my experiment are duly acknowledged.

I am very grateful to my parents for their support and all other help throughout this degree and my whole life.

List of Figures

Chapter 1: Introduction

    Security Enhanced Linux is an implementation of a mandatory access control mechanism. SELinux is incorporated in the Linux kernel and is used to check the operations allowed after the standard Linux discretionary access controls are checked. SELinux nowadays comes already installed with Redhat and Fedora Linux and there are separate packages available for some other Linux distribution like Ubuntu, Suse, etc.

    SELinux was originally developed by the NSA and was released for the public at the end of 2000 and open source community adopted it and it is still being developed by them and also by NSA as well.

    SELinux works with defining permissions for how all the processes or subjects will interact with the system including files, ports, devices, other processes, etc. called objects. This Project tells about the practical implementation and setting up of policies of SELinux in a Redhat Enterprise Linux 5 server. The other tested operating systems were Fedora 10, Fedora 11 and Fedora 9. The problem of 0-day vulnerability or system patching system made this module to be incorporated in the Linux Security Modules which is an extension of the Linux kernel which allows security systems to be added easily to the kernel. Redhat Enterprise Linux 5 (RHEL5) 30 day evaluation version will be used for this experiment which include setting up policies for containing FTP service (Subject) in its domain and won't let users even root to access even their home directories unless specified.

Aim & Objectives

Chapter 2: Literature Review

    Operating system security is primary security for every computing system because it the most crucial point of failure in an entire system. Securing a system is necessary but if the applications installed in the system have some weakness then security of the system would be of no use. SELinux acts like an internal firewall in a system.

SELinux is a security module incorporated in the LSM (Linux Security Module) in the kernel of Linux. It was first developed by the NSA and now has been adopted in the open source community and is going continuous development. It is an implementation of flexible and fine-grained mandatory access control architecture called Flux Advanced Security Kernel or FLASK added in the Linux Kernel.

Architecture Concepts

    The large part of the SELinux Architecture is called FLASK, which also was designed by NSA. Mandatory Access Control (MAC) is implemented by the Flask architecture, which mainly focuses on providing an administratively defined security policy which control all the subjects and objects after the decision has been taken by all the security relevant information. The Flask architecture additionally focuses on the model of least privilege which gives the services precisely the rights it needs to execute the given task. Integrating MAC is a very important step in building of a secure operating system. It would considerably improve security of a system and also enable protection from vulnerabilities that infect systems these days [1].

    MAC architecture's needs the capacity to implement an administratively-set security policy on all the objects and subjects in the system on the decisions based on labels containing various information regarding security.

References

  • P.A. Loscocco, P.A. Muckelbauer, S.D. Smalley, R.C. Taylor, J.F. Farrell and S.J. Turner. The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments. In minutes of the 21st National Information System Security Conference, pages 303-314, October 1998.