SEBSD: Port of SELinux FLASK and Type Enforcement to
TrustedBSD
The SEBSD and SEDarwin projects ran from roughly 2004-2006, and
adapted the FLASK framework and Type Enforcement policy used in
SELinux to run in the FreeBSD kernel using the MAC Framework.
This abstraction of FLASK/TE paved the way for a later transition to
SELinux as an LSM module in the Linux community.
This project is currently idle; although changes to the MAC
Framework to support FLASK/TE were largely upstreamed to FreeBSD,
there appeared (at the time) to have been relatively little
community uptake of the project.
Interestingly, McAfee (now Intel) ships a MAC Framework Type
Enforcement module in their Sidewinder firewall product, albeit
from a pre-SELinux FLASK/TE source code base.
Forward-porting the 2006 version of SEBSD would be fairly
straight forward from a FreeBSD perspective, but non-trivial effort
would need to be invested in updating the FLASK/TE portions of the
work, as well as developing a reference policy.
Interested parties should e-mail the trustedbsd-discuss mailing list
for pointers, and would likely see a positive reception!
Discussion below is historical.
SEBSD is a port of NSA's FLASK/TE implementation in
SELinux to run on FreeBSD as a plug-in module to the TrustedBSD MAC Framework, as well as the
policy files and necessary adaptations of FreeBSD's userland
applications.
At the time of this writing, the SEBSD module can be attached
to the kernel and run in enforcing mode using a sample
policy; many but not all relevant userland applications
have been updated to properly interact with FLASK
security contexts, including the login program.
McAfee Research, now SPARTA
ISSO, now provides a source tarball and CVSUP source distribution of
SEBSD maintained on the FreeBSD Project Perforce Server.
The FLASK/TE implementation provided by NSA, SCC, and
SPARTA ISSO (McAfee Research), is licensed under the GNU
Public License (GPL), and will be distributed seperately
from the remainder of the TrustedBSD components due to
these licensing constraints.
However, these components are available as source code module
that plugs into the MAC Framework.
2006-07-05 7.0-SEBSD supfile: Download.
Install notes.
This SEBSD snapshot is based on a March 2006 snapshot of FreeBSD 7.x
and SELinux sources from the same timeframe. It also includes the new
SELinux Reference Policy
as a new policy baseline. It should be noted that SEBSD will not
currently function in enforcing mode as the new policy development
is still at a relatively early stage.
2005-06-24 6.0-SEBSD snapshot ISO: Download.
Install notes.
This SEBSD snapshot is based on a late-2004 snapshot of FreeBSD 6.x,
combined with SELinux sources from that time. An updated SEBSD
snapshot to coincide with FreeBSD 6.0-RELEASE will be available in
the near future.
2004-01-08 5.1-SEBSD snapshot ISO: Download.
Install
notes.
In addition, a port of the SEBSD module (along with MAC
Framework) to Apple's Darwin operating system is also underway;
see the SEDarwin page for more
information.
|