Algorithms for Automatic Analysis of SELinux Security Policy

Configuration of security policies is an important but complicated work for running of secure operating systems. On the one hand, completely correct and consistent configuration is the necessary prerequisite for secure and credible system operation. On the other hand, errors and bugs are incidental anywhere within configuration at all time. Therefore, algorithms for automatic analysis of SELinux security policy are studied in this paper. Based on an improved analysis model similar to SELAC model, both algorithms for validity analysis and integrity analysis are designed. So that any access relations among subjects and objects with specified security contexts can be identified correctly by using the former algorithm. And all rules that could potentially influence integrity of subjects and objects can be detected based on the latter algorithm. Furthermore, a corresponding prototype is implemented in C Language and a security policy configuration as to an application system called Student-Teacher system is designed based on the architecture of reference policy in order to test the prototype. Results are satisfactory and it shows that related algorithms are potential to be used to build an appropriate tool to assist people to perform configuration work and to complete correct and reliable configuration.