XACE and XSELinux patches for Xorg 6.8.2
Bryan Ericson
bericson at trustedcs.com
Wed Feb 23 10:09:50 PST 2005
Hello
Early last year, Eamon Walsh, while working for the NSA on the SELinux
project, modified the X server to support SELinux. In addition, he
created a new extension: XACE (for X Access Control Extension). He
then modified the Security and Appgroup extensions to fit within the
XACE framework, and created an additional XSELinux extension.
Basically, the XACE extension is a general-purpose security framework.
Security-related extensions register themselves with XACE and specify
which security-related events they are interested in. When said
events occur, XACE then calls functions within the extensions. The
operation in question succeeds only if the operation is allowed by all
extensions.
Eamon's work was based on the 6.7 release. Since Eamon left the NSA
SELinux group, the CVS branch where he made his modifications has not
been updated. We believe Eamon's work is an excellent foundation for
future security work in X. We have ported XACE and XSELinux to the
current 6.8.2 release, and we submit it here for review and
discussion, and for consideration for eventual acceptance into the
mainline Xorg source. The patches modify the xsecurity and appgroup
extensions to use the XACE framework, change the direct calls to
security extensions to calls into XACE, and add a new XSELinux
extension.
About our interest in this project: Trusted Computer Solutions (TCS)
is working with NSA on the SELinux project. We would like to see more
security-related work done in the Xorg project, and we view this as an
important first step towards future work on X security.
We welcome all constructive comments, discussion, and criticism.
Eamon's work is based on the following paper:
http://www.nsa.gov/selinux/papers/x11-abs.cfm
The patches can be downloaded from:
http://dgoeddel.home.insightbb.com/xorg-x11-6.8.2.xace.patch
http://dgoeddel.home.insightbb.com/xorg-x11-6.8.2.xselinux.patch
Thank you,
Bryan Ericson
Trusted Operating Systems Lab
Trusted Computer Solutions, Inc.
http://www.TrustedCS.com
bericson at trustedcs.com
More information about the xorg
mailing list