Next:
Contents
Integrating Flexible Support for Security Policies into the Linux Operating System
Peter Loscocco, NSA, pal@epoch.ncsc.mil
Stephen Smalley, NAI Labs, sds@tislabs.com
Contents
Introduction
Overview
Encapsulation of Security Policy
Flexibility in Labeling Decisions
Flexibility in Access Decisions
Support for Policy Changes
Process Controls
File Controls
Socket Controls
Security Server
Architecture Types and Constants
Interfaces for the Kernel
System Calls for Applications
Policy Configuration Language
TE configuration
RBAC configuration
MLS configuration
User configuration
Constraints configuration
Security context configuration
Prototype Implementation
compute_av
compute_sid
sid_to_context
context_to_sid
load_policy
Other interfaces
System Call Controls
Access Vector Cache
Interfaces for the Kernel
Interfaces for the Security Server
Implementation
Process Management
Design
Object Classes
Permissions
Control Requirements
API extensions
Implementation
Labeling
API Extensions
Control Requirements
File System
Design
Object Classes
Permissions
Control Requirements
Persistent Labeling
API extensions
Implementation
Labeling
API extensions
Control Requirements
Other File System Types
Procfs
Procfs Analysis
Procfs Labeling Design
Procfs Labeling Implementation
Devpts
NFS client support
Networking
Design
Object Classes
Permissions
Control Requirements
API extensions
Implementation
Labeling
API extensions
Control Requirements
System V IPC
Design
Object Classes
Permissions
Control Requirements
API extensions
Implementation
Labeling
API Extensions
Control Requirements
System Call Review
Process Management
Scheduling
Sessions and Process Groups
User and Group Identity
Capabilities
Timers
Resource Limits and Usage
Other Process Calls
Memory Management
File System
Kernel Modules
System Operations
To Do
Bibliography
About this document ...