LinuxSecuritySummit2010/Abstracts/Schreuders FBAC

From Linux Security Wiki (obsolete)
Revision as of 09:53, 15 June 2010 by JamesMorris (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Linux Security Usability: Restricting Programs Using SELinux, AppArmor and FBAC-LSM


Z. Cliffe Schreuders, Murdoch University


A number of security mechanisms are available for improving the security of Linux systems by restricting the actions of processes to specific authorised activity. However, configuring these systems to enforce users’ own security goals, such as protecting their own data from misbehaving software, is often beyond the expertise of end users.

A recent study[1] analysed the usability of two of the most widely deployed security extensions for Linux, SELinux and AppArmor, and a new experimental system designed with end user usability in mind, FBAC-LSM. The study found that using FBAC-LSM participants had significantly higher user satisfaction (followed by AppArmor then SELinux), and participants were also significantly more successful at restricting the actions of malicious software using FBAC-LSM.

In this presentation I will share some of the key results of the study with the Linux security community. Based on observations made while conducting the usability study I will also offer constructive criticism of the usability of AppArmor and SELinux and offer suggestions for improving the usability of these systems. I will introduce FBAC-LSM and describe its usability design features, and discuss current project goals such as exporting to and managing AppArmor profiles.

FBAC-LSM is FOSS, in development, and is available at:

[1] Paper awaiting publication: “Empowering End Users to Confine Their Own Applications: The Results of a Usability Study Comparing SELinux, AppArmor and FBAC-LSM”

Personal tools