supported by Zeuner Solutions SourceForge.net Logo

SEFlow

Outline

The goal of the SEFlow project is to use the SELinux technology on controlling the data flow inside an information processing system. While the SELinux policies most commonly found focus on controlling access to static system facilities like an httpd or a system logger, SEFlow is meant to secure the data itself, whose location inside the system is dynamic.

Technology

mathematical policy model: SEFlow tries to model the policy using mathematical primitives. The core aims to be able to combine small sub-policies by computing operations like unions, intersections and cartesian products between them, making a more orthogonal approach to policy design possible.

State of the project

In its current state, the project provides macros to create a minimum base policy without any security and plugging in different security modules by set operations. This way, it creates the possibility to incrementally develop a security policy inside a running system which has to be dynamically extendable. The provide_sandbox macro can be used as a facility to test the security contexts without interfering with the running system. Processes can be constrained to run without network access by changing them to types with the no_network factor. This is possible independently from other constraints.

Future goals

license management: In a sufficiently large development environment, there is often a large pool of data governed under a variety of licenses to be combined to create the final product. It becomes important to keep track of the different licenses. This can conveniently be done by adding licensing information to the security contexts of the files. This way, the operating system kernel can keep track of what licensing conditions apply to the resulting data.

strategic approach to security: Using the license management described above, it becomes possible to employ a mechanism similar to the tainting mechanism of the Linux kernel on the operating system layer. Critical system facilities can be constrained to interference by open source data, thereby ensuring better possibilities for investigating and fixing possible problems.

For help on installing SEFlow, refer to this guide.

Developers may be interested in inspecting source code using macro overview page.