Integrated Access Permission: Secure and Simple Policy Description by Integration of File Access Vector Permission

Abstract

In pervasive computing, embedded systems have a possibility to be attacked by crackers, including 0-day attack, as well as enterprise systems. In particular, in a case where a cracker gets a root privilege, damages are significant. To resolve this problem, Security-Enhanced Linux (SELinux) is useful. However, SELinux has a problem that is significant complexity for configuration because of too fine-grained access control. As a method for resolving this problem, SELinux Policy Editor (SEEdit) has been developed; this is a tool that simplifies the SELinux configuration. SEEdit uses the Simplified Policy Description Language (SPDL) as a policy description language. In the SPDL, we define new access permissions that integrate Access Vector Permissions (AVPs) employed in SELinux to provide access permissions in a security policy. Thus, we propose a set of access permissions named Integrated Access Permissions (IAPs), which enables the achievement of a good balance between reducing the workload of the configurations and guaranteeing security in SELinux. In addition, we evaluate our IAPs and show them almost secure.