[8315] in cryptography@c2.net mail archive
Security Enhanced Linux
daemon@ATHENA.MIT.EDU (cypherstar)
Fri Dec 22 17:31:38 2000
Message-Id: <200012221657.AAA06046@hedgehog.highway1.com.au>
From: "cypherstar" <cypherstuff@vrl.com.au>
To: cryptography@c2.net
Date: Sat, 23 Dec 2000 01:01:13 +0800
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Reply-To: cypherstuff@vrl.com.au
>From the NSA, sighted on /.
http://slashdot.org/article.pl?sid=00/12/22/0157229&mode=nocomment
While I was at this workshop, I met some folks from the NSA and they
told me about a really neat project that they've been working on,
called Security-enhanced Linux. One of the cool things about it is
that it separates enforcement and policy. So selinux can easily
support many different security policies, from the old (some would
say outdated/silly) Multi-Level Secure/Bell-LaPadula model, to Domain-
Type enforcement and Rule-Based Access Control models. So if you
think that high-security features means the old silly, Secret / Top
Secret / CMW bullshit, and needing to make sure that Secret windows
don't get expose events from Top Secret windows, think again. A
number of folks have found Domain Type Enforcement and Rule-Based
Access Control systems very useful for securing Web servers and other
real world systems. The NSA folks just recently got permission to
make their stuff available on the Web. It's just a proof of concept,
and no doubt a lot of changes will need to made before people will
accept integrating it into the kernel, but they have released a
working system (both kernel and userspace patches --- RPM's aren't
quite ready yet) based on Linux 2.2 and RedHat 6.1. So it's
definitely worth a look, and in fact some folks with specialized
needs might find it useful, even though it's a prototype.
http://www.nsa.gov/selinux
