NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control architecture into the major subsystems of the kernel. It provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals.
|Tags||Security Operating System Kernels Linux|
|Operating Systems||POSIX Linux|
Release Notes: This release is based on Linux 2.6.11. The SELinux kernel patch for 2.6.11 includes enhanced MLS support, changes to the execute-related permission checking for legacy binaries, and an extension to the /proc/pid/attr API to allow use by scripts. Enhanced MLS support has been merged into the userspace libraries and tools. The libraries and tools have been modified to allow local customization of file contexts and users without requiring policy sources, and to preserve certain types that are marked as being customizable upon relabels.
Release Notes: This release is based on Linux 2.6.10, but the current SELinux patch for the kernel includes a number of changes merged after 2.6.10 was released, including the AVC scalability work, AVC API and statistics support, dynamic context transition support, and enhanced controls over executable mappings. The checkpolicy policy compiler has been updated to order node context entries and to support supplementary type attribute declarations. Several improvements to libselinux, policycoreutils, and policy have been merged. Updated versions of setools, slat, and polgen were added.
Release Notes: This release is based on Linux 2.6.9, and includes significant scalability enhancements to the core SELinux code. Numerous improvements to libselinux, policycoreutils, and policy have also been merged. An updated version of setools from Tresys has been merged. Updated userland patches and SRPMS have been merged from the Fedora Core 3 development tree. This release includes the first public release of a new tool by MITRE, polgen, which attempts to generate policy for an application based on patterns in its behavior.
Release Notes: The current prototype and the experimental NFS code are now based on Linux kernel 2.6.7. Fine-grained netlink classes and permissions have been added. Many enhancements and bugfixes for policy as well as userland tools including slat and setools have been incorporated.
Release Notes: The current prototype and the experimental NFS code are now based on Linux kernel 2.6.6. Several races and kernel socket creation problems were fixed and a runtime disable was added. The old 2.4-based kernel patch was ported to 2.4.26. The userland patches were updated from Fedora Core 2 development. There are now man pages for libselinux. X server security classes and access vector definitions were added and many policy updates were made.