On the Security of Selinux with a Simplified Policy

K. Sueyasu, T. Tabata, and K. Sakurai (Japan)


Security for Operating Systems, Access Control, Security Enhanced Linux, SE Linux Policy Editor


Security-Enhanced Linux (SELinux) is a secure operating system. SELinux implements some features in order to per form strong access control. However, the configuration of SELinux access control becomes very complex. Such com plexity may cause misconfiguration which can harm the strong access control. SELinux Policy Editor is a config uration tool for SELinux. It is developed in order to re duce the complexity and the risk of misconfiguration. As a part of its support of configuration, this tool simplifies the configuration of SELinux by integrating configuration items for complicated access control policy of SELinux. Although we can originally define and use macros which integrate permissions in SELinux access control policy, the integrated permissions of SELinux Policy Editor and the macros differ fundamentally in whether the use of them is mandatory or discretionary. In this paper, we examine effects of the simplification by SELinux Policy Editor on an example access control policy and evaluate the security of the access control based on the simplified policy about Apache, a web server software.

