PLEASE: Policy Language for Easy Administration of SELinux

With the growing importance of security, alternate access control methods have become commonplace. The emergence of systems such as SELinux have provided a new means to further restrict access beyond Linux's traditional capability-based system. Unfortunately, writing a policy for applications in SELinux is a challenge, even for the most battle-hardened of policy developers.

SELinux is based on the premise that processes act on resources in the system. However, this is not reflected clearly in the way that people currently develop policies. The process for policy development entails identifying the resources that a program needs to use, and then combing over the reference policy to identify the appropriate types and interfaces.

To reduce the complexity of the policy development process, we developed PLEASE, a high-level language for writing SELinux policies. PLEASE is designed to integrate into the SELinux reference policy by making use of the interfaces and types already present, allowing for sections of the reference policy to be rewritten into it.

By basing the policy model around the kernel and application resources, the policy can by analyzed for potential information leaks.

We provide the developer with facilities to specify SELinux policy statements directly from PLEASE, to be analogous with the relationship between C and assembly. This allows the power and flexibility of low-level policy statements, while still allowing the developer to make use of our higher-level abstractions.

Technical Reports:

# Title (click for html version) Formats Published In Date Comments
1 PLEASE: Policy Language for Easy Administration of SELinux PS PDF BibTeX Stony Brook U. CS TechReport FSL-07-02 May 2007 M.S. Thesis

Past Students:

# Name (click for home page) Program Period Current Location
1 Kimberly Johnson MS Jan 2007 - Dec 2007 Product Manager, Pivotal Network, Cloud Foundry (New York, NY)
2 David Quigley MS Sep 2005 - May 2007 ZFS Linux Software Engineer, High Performance Data Division Intel (Longmont, CO)