XACE merged into Xorg for X11R7.2
By alanc on Oct 06, 2006
The XACE framework for handling security policy extensions has been merged to the Xorg server code base for the upcoming X11R7.2 release. This is the rough equivalent of the hooks that were put into the core Solaris Xsun & Xorg servers to call out to the Xtsol extension module as necessary to implement the security policy.
XACE was originally designed by Eamon Walsh at the NSA for SELinux, and working with us this summer, modified to add the additional hooks needed by Xtsol, so it could serve as a common framework acceptable to both SELinux & Solaris Trusted Extensions. (For instance, in the original design, there were no hooks for auditing, as the SELinux code did not audit X requests as Xtsol does.)
The actual policy extension modules (X-SELINUX & Xtsol) were not ready to merge in time for the 7.2 release, so they are planned for the 7.3 release. (X.Org is currently doing full releases every 6 months, May & November, but individual modules can release at any time they are ready, so just because we missed 7.2 doesn't mean we have to wait until next May to integrate Xtsol to X.Org.)
For those who aren't familiar with the technology, a brief overview may be found in the slides [PDF format] from my talk on Security Extensions in X from this summer's Desktop Developer's Conference. A much more detailed look at the Solaris Trusted Extensions OS as a whole, including the X server and desktop, can be found in the slides from the Trusted Extensions talk by Glenn Faden at last week's Silicon Valley OpenSolaris User Group meeting.