-
Notifications
You must be signed in to change notification settings - Fork 1
/
sebsd.page
125 lines (107 loc) · 5.71 KB
/
sebsd.page
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
<!--
Copyright (c) 2012 Robert N. M. Watson
Copyright (c) 2005 SPARTA, Inc.
Copyright (c) 2003 Networks Associates Technology, Inc.
All rights reserved.
This documentation was developed for the FreeBSD Project by McAfee
Research, the Security Research Division of Network Associates, Inc.
under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of
the DARPA CHATS research program.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
-->
<page role="sebsd">
<title>SEBSD</title>
<section>
<title>SEBSD: Port of SELinux FLASK and Type Enforcement to
TrustedBSD</title>
<html>
<p><b>The SEBSD and SEDarwin projects ran from roughly 2004-2006, and
adapted the FLASK framework and Type Enforcement policy used in
SELinux to run in the FreeBSD kernel using the MAC Framework.
This abstraction of FLASK/TE paved the way for a later transition to
SELinux as an LSM module in the Linux community.</b></p>
<p><b>This project is currently idle; although changes to the MAC
Framework to support FLASK/TE were largely upstreamed to FreeBSD,
there appeared (at the time) to have been relatively little
community uptake of the project.
Interestingly, McAfee (now Intel) ships a MAC Framework Type
Enforcement module in their Sidewinder firewall product, albeit
from a pre-SELinux FLASK/TE source code base.</b></p>
<p><b>Forward-porting the 2006 version of SEBSD would be fairly
straight forward from a FreeBSD perspective, but non-trivial effort
would need to be invested in updating the FLASK/TE portions of the
work, as well as developing a reference policy.
Interested parties should e-mail the trustedbsd-discuss mailing list
for pointers, and would likely see a positive reception!
Discussion below is historical.</b></p>
<hr />
<!--
<p>
<span id="collection-label">Perforce:</span>
<span id="cvsup-collection">//depot/projects/trustedbsd/sebsd/...</span>
</p>
-->
<p>SEBSD is a port of NSA's FLASK/TE implementation in
SELinux to run on FreeBSD as a plug-in module to the <a
href="mac.html">TrustedBSD MAC Framework</a>, as well as the
policy files and necessary adaptations of FreeBSD's userland
applications.
At the time of this writing, the SEBSD module can be attached
to the kernel and run in enforcing mode using a sample
policy; many but not all relevant userland applications
have been updated to properly interact with FLASK
security contexts, including the login program.</p>
<p>McAfee Research, now <a href="http://www.isso.sparta.com/">SPARTA
ISSO</a>, now provides a source tarball and CVSUP source distribution of
SEBSD maintained on the FreeBSD Project Perforce Server.</p>
<p>The FLASK/TE implementation provided by NSA, SCC, and
SPARTA ISSO (McAfee Research), is licensed under the GNU
Public License (GPL), and will be distributed seperately
from the remainder of the TrustedBSD components due to
these licensing constraints.
However, these components are available as source code module
that plugs into the MAC Framework.</p>
<p>2006-07-05 7.0-SEBSD supfile: <a href="downloads/20060705-7.0-SEBSD-supfile"> Download</a>.
<a href="downloads/20060705-7.0-SEBSDInstall.txt">Install notes</a>.
This SEBSD snapshot is based on a March 2006 snapshot of FreeBSD 7.x
and SELinux sources from the same timeframe. It also includes the new
<a href="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</a>
as a new policy baseline. It should be noted that SEBSD will not
currently function in enforcing mode as the new policy development
is still at a relatively early stage.</p>
<p>2005-06-24 6.0-SEBSD snapshot ISO: <a
href="downloads/20050624-6.0-SEBSD-i386-miniinst.iso">Download</a>.
<a href="downloads/20050624-6.0-SEBSDinstall.txt">Install notes</a>.
This SEBSD snapshot is based on a late-2004 snapshot of FreeBSD 6.x,
combined with SELinux sources from that time. An updated SEBSD
snapshot to coincide with FreeBSD 6.0-RELEASE will be available in
the near future.</p>
<p>2004-01-08 5.1-SEBSD snapshot ISO: <a
href="downloads/20040108-5.1-SEBSD-i386-miniinst.iso">Download</a>.
<a href="downloads/20040108-5.1-SEBSD-install.txt">Install
notes</a>.</p>
<p>In addition, a port of the SEBSD module (along with MAC
Framework) to Apple's Darwin operating system is also underway;
see the <a href="sedarwin.html">SEDarwin page</a> for more
information.</p>
</html>
</section>
</page>