www.TrustedBSD.org
Home Developers Documentation Source code ACLs Audit BSMtrace ExtAttr + UFS2 GEOM + GBDE
Mailing Lists News Legal MAC Framework OpenBSM OpenPAM Privileges SEBSD SEDarwin
Trusty

SEBSD: Port of SELinux FLASK and Type Enforcement to TrustedBSD

The SEBSD and SEDarwin projects ran from roughly 2004-2006, and adapted the FLASK framework and Type Enforcement policy used in SELinux to run in the FreeBSD kernel using the MAC Framework. This abstraction of FLASK/TE paved the way for a later transition to SELinux as an LSM module in the Linux community.

This project is currently idle; although changes to the MAC Framework to support FLASK/TE were largely upstreamed to FreeBSD, there appeared (at the time) to have been relatively little community uptake of the project. Interestingly, McAfee (now Intel) ships a MAC Framework Type Enforcement module in their Sidewinder firewall product, albeit from a pre-SELinux FLASK/TE source code base.

Forward-porting the 2006 version of SEBSD would be fairly straight forward from a FreeBSD perspective, but non-trivial effort would need to be invested in updating the FLASK/TE portions of the work, as well as developing a reference policy. Interested parties should e-mail the trustedbsd-discuss mailing list for pointers, and would likely see a positive reception! Discussion below is historical.


SEBSD is a port of NSA's FLASK/TE implementation in SELinux to run on FreeBSD as a plug-in module to the TrustedBSD MAC Framework, as well as the policy files and necessary adaptations of FreeBSD's userland applications. At the time of this writing, the SEBSD module can be attached to the kernel and run in enforcing mode using a sample policy; many but not all relevant userland applications have been updated to properly interact with FLASK security contexts, including the login program.

McAfee Research, now SPARTA ISSO, now provides a source tarball and CVSUP source distribution of SEBSD maintained on the FreeBSD Project Perforce Server.

The FLASK/TE implementation provided by NSA, SCC, and SPARTA ISSO (McAfee Research), is licensed under the GNU Public License (GPL), and will be distributed seperately from the remainder of the TrustedBSD components due to these licensing constraints. However, these components are available as source code module that plugs into the MAC Framework.

2006-07-05 7.0-SEBSD supfile: Download. Install notes. This SEBSD snapshot is based on a March 2006 snapshot of FreeBSD 7.x and SELinux sources from the same timeframe. It also includes the new SELinux Reference Policy as a new policy baseline. It should be noted that SEBSD will not currently function in enforcing mode as the new policy development is still at a relatively early stage.

2005-06-24 6.0-SEBSD snapshot ISO: Download. Install notes. This SEBSD snapshot is based on a late-2004 snapshot of FreeBSD 6.x, combined with SELinux sources from that time. An updated SEBSD snapshot to coincide with FreeBSD 6.0-RELEASE will be available in the near future.

2004-01-08 5.1-SEBSD snapshot ISO: Download. Install notes.

In addition, a port of the SEBSD module (along with MAC Framework) to Apple's Darwin operating system is also underway; see the SEDarwin page for more information.


    Copyright 2000-2012 Robert N. M. Watson. All rights reserved.
    Copyright 2005 SPARTA, Inc. All rights reserved.
    Copyright 2002, Leigh T. Denault. All rights reserved.
    Copyright 2002, 2003 Networks Associates, Inc. All rights reserved.
    $P4: //depot/projects/trustedbsd/www/sebsd.page#11 $