SEFlow 0.1.1

SEFlow can be use the SELinux technology on controlling the data flow inside an information processing system.
SEFlow can be use the SELinux technology on controlling the data flow inside an information processing system. While the SELinux policies most commonly found focus on controlling access to static system facilities like an httpd or a system logger, SEFlow is meant to secure the data itself, whose location inside the system is dynamic.


mathematical policy model: SEFlow tries to model the policy using mathematical primitives. The core aims to be able to combine small sub-policies by computing operations like unions, intersections and cartesian products between them, making a more orthogonal approach to policy design possible.

Possible applications

license management: In a sufficiently large development environment, there is often a large pool of data governed under a variety of licenses to be combined to create the final product. It becomes important to keep track of the different licenses. This can conveniently be done by adding licensing information to the security contexts of the files. This way, the operating system kernel can keep track of what licensing conditions apply to the resulting data.

strategic approach to security: Using the license management described above, it becomes possible to employ a mechanism similar to the tainting mechanism of the Linux kernel on the operating system layer. Critical system facilities can be constrained to interference by open source data, thereby ensuring better possibilities for investigating and fixing possible problems.

State of the project

Please note that the applications described above are not possible yet. The project is currently in a state of prototyping and could serve as a technology demo. What you can do now is to look at the already existing code and to experiment with it. There is the possibility to create a minimal policy which does not provide any security but instead makes it easy to extend upon it. Computing cartesian products of sub-policies is also working. The provide_sandbox macro can be used as a facility to test the security contexts without interfering with the running system.


NSA Security-enhanced Linux

What's New in This Release:

To demonstrate the possibility of combining independent policy factors, a factor that blocks network access was created.
This way, network access of processes can be disabled without interfering with other constraints.

last updated on:
July 4th, 2008, 10:48 GMT
license type:
GPL (GNU General Public License) 
developed by:
Isidor Zeuner
ROOT \ Security
Download Button

In a hurry? Add it to your Download Basket!

user rating 20



Rate it!

Add your review!