Skip to main content
SpringerLink
Log in

Model-Driven Configuration of SELinux Policies

  • Conference paper
On the Move to Meaningful Internet Systems: OTM 2009 (OTM 2009)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 5871))

Abstract

The need for access control in computer systems is inherent. However, the complexity to configure such systems is constantly increasing which affects the overall security of a system negatively. We think that it is important to define security requirements on a non-technical level while taking the application domain into respect in order to have a clear and separated view on security configuration (i.e. unblurred by technical details). On the other hand, security functionality has to be tightly integrated with the system and its development process in order to provide comprehensive means of enforcement. In this paper, we propose a systematic approach based on model-driven security configuration to leverage existing operating system security mechanisms (SELinux) for realising access control. We use UML models and develop a UML profile to satisfy these needs. Our goal is to exploit a comprehensive protection mechanism while rendering its security policy manageable by a domain specialist.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Rsbac - rule set based access control, http://www.rsbac.org (last visited April 2009)

  2. Security-enhanced linux (selinux), http://www.nsa.gov/selinux/

  3. Agreiter, B., Alam, M., Hafner, M., Seifert, J.-P., Zhang, X.: Model Driven Configuration of Secure Operating Systems for Mobile Applications in Healthcare. In: MOTHIS 2007 (2007)

    Google Scholar 

  4. Badger, L., Sterne, D.F., Sherman, D.L., Walker, K.M., Haghighat, S.A.: Practical Domain and Type Enforcement for UNIX. In: IEEE Symposium On Security And Privacy, p. 66 (1995)

    Google Scholar 

  5. Basin, D., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology (TOSEM) 15(1), 39–91 (2006)

    Article  Google Scholar 

  6. Breu, R., Hafner, M., Weber, B., Novak, A.: Model Driven Security for Inter-organizational Workflows in e-Government. In: Government: Towards Electronic Democracy: International Conference, TCGOV 2005, proceedings, Bolzano, Italy, March 2-4 (2005)

    Google Scholar 

  7. Day, J.D., Zimmermann, H.: The OSI reference model. Proceedings of the IEEE 71(12), 1334–1340 (1983)

    Article  Google Scholar 

  8. De Win, B.: Engineering application-level security through aspect-oriented software development. PhD thesis, Katholieke Universiteit Leuven (2004)

    Google Scholar 

  9. Guttman, J.D.: Verifying information flow goals in security-enhanced Linux. Journal of Computer Security 13(1), 115–134 (2005)

    Google Scholar 

  10. Hafner, M., Breu, R., Agreiter, B., Nowak, A.: Sectet: an extensible framework for the realization of secure inter-organizational workflows. Internet Research 16(5), 491–506 (2006)

    Article  Google Scholar 

  11. Hafner, M., Memon, M., Alam, M.: Modeling and Enforcing Advanced Access Control Policies in Healthcare Systems with SECTET. In: Giese, H. (ed.) MODELS 2008. LNCS, vol. 5002, pp. 132–144. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  12. ISO/IEC (ed.): ISO/IEC 10181-3:1996 Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework. ISO/IEC, Geneva, int. standard edn. (1996)

    Google Scholar 

  13. Jaeger, T., Sailer, R., Zhang, X.: Analyzing integrity protection in the SELinux example policy. In: Proceedings of the 12th conference on USENIX Security Symposium, vol. 12, p. 5. USENIX Association Berkeley, CA (2003)

    Google Scholar 

  14. Jawurek, M.: RSBAC-a framework for enhanced Linux system security

    Google Scholar 

  15. Latham, D.C.: Department of Defense Trusted Computer System Evaluation Criteria. Department of Defense (1986)

    Google Scholar 

  16. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)

    Google Scholar 

  17. Loscocco, P., Smalley, S.: Meeting Critical Security Objectives with Security-Enhanced Linux. In: Proceedings of the 2001 Ottawa Linux Symposium, pp. 115–134 (2001)

    Google Scholar 

  18. MacMillan, K.: Madison: A new approach to automated policy generation (March 2007)

    Google Scholar 

  19. Mayer, F., MacMillan, K., Caplan, D.: SELinux by Example: Using Security Enhanced Linux. Prentice Hall, Englewood Cliffs (2006)

    Google Scholar 

  20. Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. IEEE, Proceedings 63, 1278–1308 (1975)

    Article  Google Scholar 

  21. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-Based Access Control Models. Computer, 38–47 (1996)

    Google Scholar 

  22. Selic, B.: A systematic approach to domain-specific language design using UML. In: 10th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing, ISORC 2007, pp. 2–9 (2007)

    Google Scholar 

  23. Sniffen, B.T., Harris, D.R., Ramsdell, J.D.: Guided policy generation for application authors (February 2006)

    Google Scholar 

  24. Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J.: The flask security architecture: system support for diverse security policies. In: Proceedings of the 8th conference on USENIX Security Symposium, table of contents, vol. 8, p. 11 (1999)

    Google Scholar 

  25. Stahl, T., Völter, M.: Modellgetriebene Softwareentwicklung Techniken, Engineering, Management. dpunkt-Verl (2007)

    Google Scholar 

  26. Tresys Technology. Cds framework (last visited, April 2009), http://oss.tresys.com/projects/cdsframework

  27. Walsh, E.: Application of the Flask Architecture to the X Window System Server. In: SELinux Symposium (2007)

    Google Scholar 

  28. Wright, C., Cowan, C., Morris, J., Smalley, S., Kroah-Hartman, G.: Linux security modules: general security support for the linux kernel. Foundations of Intrusion Tolerant Systems, 2003 (Organically Assured and Survivable Information Systems), pp. 213–226 (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for Computer Science, University of Innsbruck, A-6020, Innsbruck, Technikerstr. 21a

    Berthold Agreiter & Ruth Breu

Authors
  1. Berthold Agreiter
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ruth Breu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. STARLab, Vrije Universiteit Brussel (VUB), Bldg G/10, Pleinlaan 2, 1050, Brussels, Belgium

    Robert Meersman

  2. DEBII - CBS, De Laeter Way, Curtin University of Technology, 6102, Bentley, WA, Australia

    Tharam Dillon

  3. Facultad de Informática, Universidad Politécnica de Madrid, , , , ,, Campus de Montegancedo S/N, Boadilla del Monte, 28660, Madrid, Spain

    Pilar Herrero

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Agreiter, B., Breu, R. (2009). Model-Driven Configuration of SELinux Policies. In: Meersman, R., Dillon, T., Herrero, P. (eds) On the Move to Meaningful Internet Systems: OTM 2009. OTM 2009. Lecture Notes in Computer Science, vol 5871. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05151-7_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-05151-7_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-05150-0

  • Online ISBN: 978-3-642-05151-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation