Discretionary Access Control (DAC) model, implemented for access control and privilege delegation purposes in most UNIX systems, represents the most frequent cause of the host security breaches in the Internet environment. LinSec project is aimed at designing and implementing a Mandatory Access Control (MAC) model, as opposed to the existing DAC model, in the Linux operating system.
The envisaged MAC model is based on a combination of the existing and novel security mechanisms such as: capabilities, file system access domains and IP labeling. The Linux specific LinSec design and implementation is original in all its aspects except for the capability model which is a substantial extension of the basic POSIX 1003.6 model implemented in Linux.
LinSec was implemented in about 5,000 lines of Linux kernel code over a 16 week period. The preliminary test and benchmark results show that the implemented MAC model is both efficient and effective. Furthermore, LinSec is easily integratable in existing Linux systems and does not substantially affect the target system's usability and performance.