Security-Enhanced Linux Future Work The NSA Security-enhanced Linux (SEL) team created and uses SEL for research purposes. This list of future work changes as our research progresses and we explore new areas. The focus of our work is not to create a marketable product, and usability and integration tasks often receive little or no priority. It is expected that research in the below-identified areas of technology will continue. However, this list of expected research shall not be considered as a request for proposal or otherwise construed as a commitment by the National Security Agency to anyone for the procurement of equipment, services, or any obligation. The National Security Agency reserves the right to not pursue research in any area identified below or to discontinue, at any time, research in progress in any of these areas. Research Tasks The primary focus of the SEL team's limited resources is on tasks in this area. External participation is welcomed in these tasks as well as those which are less likely to receive SEL team attention. * Integrate IPSEC with network mandatory controls * Implement mandatory controls for NFS * Improve and simplify the policy configuration system * Complete the general purpose policy configuration * Perform functional and performance testing * Implement mandatory controls suggested in the system call review in the kernel documentation * Implement polyinstantiated directories * Implement polyinstantiated ports * Implement notifications for completed operations * Implement policy change callbacks * Integrate existing publicly available file cryptography with file mandatory controls * Implement SID descriptors (reference-counted SIDs) Packaging and Porting Tasks In general the SEL team only works on these tasks to the extent they are necessary to create a usable system or as time is available. Significant improvements in this area are likely only with external participation. * Create or modify RPM spec files This includes creating an SRPM with the SEL patches, and altering the build directories to be independent of directory structure, but correctly dependent on policy and libsecure, for example. * Port the kernel patches to the current development kernel The SEL team tries to keep our patches current with mainline Linux kernel development within the constraints of other work. * Port the kernel patches to the latest stable kernel Generally the SEL team tries to merge updates into their CVS tree and will follow through with the update if there were no serious complications. * Port the Flask changes to additional hardware platforms The new system call dispatching may be the most hardware specific changes (particularly in the case of IPC.) Platform specific system call differences should be abstracted in libsecure. * Port the utility patches to the latest versions of the base utilities * Patch additional system utilities to be Flask-aware * Perform additional functional and performance testing For example creating regression test scripts to utilize the syscalls programs to verify the additional system calls are still working as expected. Documentation Tasks In general the SEL team only works on these tasks to the extent they are necessary to describe the system to other researchers and developers or as time is available. * Create an Administrator Guidance Document Discuss the use of Flask controls in various environment (ISP, Desktop, Firewall, etc.) * Create a User Guidance Document What to expect as differences in SEL. Simple explanation of contexts and when they or their effects might be user visible. * Create an Application Developer Guidance Document Discussion of how to create a policy snippet for an application. How and when to use the additional system calls. How to use for assured pipelines, etc.