SEEdit: SELinux security policy configuration system with higher level language

Yuichi Nakamura, Yoshiki Sameshima, Toshihiro Tabata

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

Security policy for SELinux is usually created by customizing a sample policy called refpolicy. However, describing and verifying security policy configurations is difficult because in refpolicy, there are more than 100,000 lines of configurations, thousands of elements such as permissions, macros and labels. The memory footprint of refpolicy which is around 5MB, is also a problem for resource constrained devices. We propose a security policy configuration system SEEdit which facilitates creating security policy by a higher level language called SPDL and SPDL tools. SPDL reduces the number of permissions by integrated permissions and removes label configurations. SPDL tools generate security policy configurations from access logs and tool user's knowledge about applications. Experimental results on an embedded system and a PC system show that practical security policies are created by SEEdit, i.e., describing configurations is semiautomated, created security policies are composed of less than 500 lines of configurations, 100 configuration elements, and the memory footprint in the embedded system is less than 500KB.

Original languageEnglish
Title of host publicationProceedings of the 23rd Large Installation System Administration Conference, LISA 2009
PublisherUSENIX Association
Pages107-117
Number of pages11
ISBN (Electronic)9781931971713
Publication statusPublished - 2009
Event23rd Large Installation System Administration Conference, LISA 2009 - Baltimore, United States
Duration: Nov 1 2009Nov 6 2009

Publication series

NameProceedings of the 23rd Large Installation System Administration Conference, LISA 2009

Conference

Conference23rd Large Installation System Administration Conference, LISA 2009
CountryUnited States
CityBaltimore
Period11/1/0911/6/09

Keywords

  • Configuration
  • SELinux
  • Security
  • Security policy

ASJC Scopus subject areas

  • Management of Technology and Innovation
  • Information Systems and Management

Fingerprint Dive into the research topics of 'SEEdit: SELinux security policy configuration system with higher level language'. Together they form a unique fingerprint.

Cite this