I’ve mentioned SELinux (Security Enhanced Linux) here before; developed by the US National Security Agency (NSA), it is not a Linux distribution in the usual sense, but a set of modifications to the stock Linux operating system to provide more robust security capabilities, especially mandatory access control. (The NSA also has a similar project, SEAndroid, for the Android mobile operating system.) I’ve recently discovered some additional resources on the technical architecture and history of SELinux, and thought some readers might find them helpful.
IBM’s developerWorks site has released a couple of papers on SELinux in the last few weeks. The first, Anatomy of Security Enhanced Linux, by M. Tim Jones, discusses some of the mechanisms and techniques that are used in SELinux. It also has a brief comparison and discussion of other Security-enhanced systems, such as Solaris 10 (formerly Trusted Solaris) and Trusted BSD. The second paper, SELinux: History of its Development, Architecture, and Operating Principles, by Evgeny Ivashko, It has a historical overview of the projects development, and its relations to other security projects and initiatives. Both of these papers, which are intended for a technical audience, are also available as downloadable PDFs, and contain “Resources” sections with links to additional information.
The NSA also maintains a comprehensive SELinux site, which contains background information, documentation, and download links. As the main article indicates, SELinux is not intended to be a security panacea, but as an example of how a mainstream OS can be given better security features.
This work is not intended as a complete security solution. It is not an attempt to correct any flaws that may currently exist in an operating system. Instead, it is simply an example of how mandatory access controls that can confine the actions of any process, including an administrator process, can be added into a system.
If you are interested in running SELinux, or just interested in the general topic of OS security, I think you will find some interesting reading.