Userland Development
While the kernel changes to Linux are the basis of SELinux, there
are a few userland packages that are specific to SELinux and there
are a few system applications (primarily authentication applications
such as login and ssh) that must be modified to properly set SELinux
security contexts. A number of additional applications can provide
additional security or help maintain a SELinux system if modified to
take advantage of the SELinux kernel features.
The userland packages that are specific to SELinux are included in
the NSA SELinux releases. Information about obtaining modified
userland packages for several distributions is available from the
links under Distributions on this site. A good reference set of
SELinux patches can be found in the Fedora Core development tree.
Userland Packages Specific to SELinux
- libsepol - library for binary policy manipulation
- checkpolicy - program to compile policies to binary form
- libselinux - library for security-aware applications
- libsemanage - library for policy management
- policycoreutils - core set of policy-related utilities
- setools - tools for policy analysis and user management
- slat - tool for policy analysis
- polgen - tool for policy generation
Userland Packages with patches for SELinux
- SysVinit - load initial policy
- pam - set security context for user sessions, preserve security context on /etc/shadow, check SELinux permissions
- util-linux - preserve security contexts on /etc/shadow, check SELinux permissions
- openssh - set security context for user sessions
- vixie-cron - set security context for cron jobs, check permission
- at - similar to vixie-cron
- sudo - set security context
- shadow-utils - preserve security context on /etc/shadow
- libuser - preserve security context on /etc/shadow, check permission
- passwd - preserve security context on /etc/shadow, check permission
- logrotate - preserve security context on logs
- coreutils - get and set process and file security contexts
- findutils - find files with specific security contexts or display them
- procps - display process contexts
- psmisc - display process contexts