Tresys Technology | Solution Brief

Solution Brief

Tresys builds tool to easily analyze

SELinux policies - increasing the

efficiency and effectiveness of

USG development efforts.

Customer Profile
This U.S. Government agency provides solutions, products, and services that enable defensive information operations. This includes securing information infrastructures critical to U.S. national security interests. A key requirement of this agency was to ensure that their community of application developers (i.e., employees, vendors, contractors, etc.) was able to quickly assess the robustness of security policies on their secure, next-generation workstations.

Business Challenge
The agency had a requirement for a next-generation user workstation architecture with an ability to simultaneously process data at varying levels of sensitivity. SELinux was selected based on its flexibility and ability to meet these security guidelines. The result was a complex and large SELinux security policy. This created a need for analysis tools to assist in security policy development and to provide a capacity for assuring policy consistency and correctness.

Tresys Solution
Tresys created the Open Source SETools tool suite to expedite analysis and testing of these SELinux security policies. SETools gives users the ability to perform both interactive and complex, automated analysis of their security policy. A graphical interface provides a "big picture" view of the policy and supports “drilling-down” analysis according to very specific needs (e.g., domain transitions, type relationships, file re-labeling, information flow, etc.). This tool suite gave the agency and its’ developers the ability to quickly see the important differences between development cycles of complex security policies and to perform automated policy checks. Tresys also provided SELinux policy analysis expertise and technical support to their broader solution development effort.

Benefit
Employing SETools achieved a sizeable cost savings in the time required for complete static analysis of security policies. This was realized by SETools’ ability to automate the system analysis required to ensure data paths and communication flows are fully restricted without the possibility of compromise. In addition, SETools manages and presents this analysis data in a common and consistent manner, simplifying the process of understanding the policy.

About Tresys Technology
Tresys Technology is a principal open source contributor to Security Enhanced Linux (SELinux), with an emphasis on making SELinux easier to use and manage. In addition to its extensive Secure Linux technology development, services, and training experience, Tresys provides many technology solutions that allow Linux users and administrators to easily leverage the power of SELinux. Tresys also provides business and government organizations with expert security engineering services, including security testing, evaluation and certification support, cryptographic solutions, and security technology innovation.