An Introduction to the NSA's Security-Enhanced Linux: SELinux

This paper will introduce the NSA's research project termed 'Security-enhanced' Linux. It has been recognized that securing applications is only half of the battle: a computer system must also employ security policies at the OS level and the current model of user vs. administrator that we find in standard Unix is insufficient. Security-enhanced Linux or 'SELinux' is defined as 'enforc[ing] mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs'(1). SELinux is neither a tool for encryption nor a full distribution of Linux; instead it is a modification of the kernel to include a 'security server'. This internal security server is responsible for implementing a configurable security policy to the way processes and users are allocated system resources and permissions. SELinux derives its architecture from a previous project called the 'Flask' operating system. This paper will assume that the reader possesses working knowledge of the Unix operating system and understands the role of Linux in the Unix world.