Fine-grained access control -- XACE, XSELinux and X security

Bryan Ericson bericson at trustedcs.com
Mon Nov 28 10:18:30 PST 2005


The SECURITY extension has been lightly modified to plug in to XACE,
but otherwise retains the same functionality.  It still functions as
it always has.  XACE and XSELinux were originally written by Eamon
Walsh while working at NSA; as far as I know, they are entirely
original code.

XACE is nothing more than a framework for security extensions to
plug into; it has no policy and makes no decisions on access control. 
XSELinux, on the other hand, is very invasive in terms of the security
imposed on the system.  Every X object is assigned a SELinux context,
which is used in all security decisions.  You can read up on SELinux
at http://www.nsa.gov/selinux/.  Note that some sections of the site
are woefully out of date.

As far as implementing SECURITY functionality in XSELinux, I believe
it might be possible, though it would take a good deal of research to
correctly implement the SELinux security policy. The problem is that
the SELinux policy is extremely complex and addresses far more than
the designers of the SECURITY extension ever intended - that is to
say, using XSELinux to implement SECURITY would be overkill by an
order of magnitude.

Bryan

On Mon, 28 Nov 2005 12:41:42 -0500
Adam Jackson <ajax at nwnk.net> wrote:

> On Monday 28 November 2005 10:25, Bryan Ericson wrote:
> > Hi, Mark
> > Again, we intend to release new XACE and XSELinux patches for Xorg
> > 7
> > in the near future.  Please let me know if you have any questions.
> 
> I haven't had the chance to look at these in any detail.  Do they
> reuse
> any of 
> the existing infrastructure (hacks really) for the SECURITY
> extension?
> Would 
> it be possible to implement the one in terms of the other?  I'm not 
> particularly keen on keeping the old security extension, but it
> sounds
> like 
> XACE is strong enough to emulate the old extension as a policy,
> which
> might 
> be a lot cleaner.
> 
> - ajax



More information about the xorg mailing list