Consistency analysis and flow secure enforcement of SELinux policies

Abstract

SELinux policies used in practice contain tens of thousands of rules, making it hard to comprehend their impact on the security and to verify whether they actually meet the intended security goals. In this paper, we describe an approach for reasoning about the consistency of a given SELinux policy by analyzing the information flows caused by it. For this purpose, we model SELinux policy rules using the Readers-Writers Flow Model (RWFM). We have used this approach to implement a static policy analysis tool as well as a run-time monitor. The static policy analysis tool identifies all the possible indirect flows in a given policy and then filters out those indirect flows that pose a high threat. Given an indirect flow, the tool can also identify the sequences of accesses that cause the indirect flow. The tool also ranks the rules and domains based on the number of policy violations they cause. Thus, the static analysis tool is useful for policy writers to develop flow secure policies. The run-time monitor, on the other hand, keeps track of the information flows in an SELinux system and detects indirect flows dynamically. This helps in ensuring flow secure enforcement of a given SELinux policy as per the specification. The efficiency and efficacy of our implementations are demonstrated through experimental analysis on large, real-life policies.