Top NSA Banner

The following organizations and individuals have contributed to the Security-enhanced Linux project. The listing of contributors is partitioned into two lists:

1. a list of the original four organizations that contributed to the initial public release of SELinux,
2. a list of external individuals and organizations that have contributed to SELinux since that initial release.

The Original Contributors

The National Security Agency (NSA)

Researchers in NSA's National Information Assurance Research Laboratory (NIARL) designed and implemented flexible mandatory access controls in the major subsystems of the Linux kernel and implemented the new operating system components provided by the Flask architecture, namely the security server and the access vector cache. The NSA researchers reworked the LSM-based SELinux for inclusion in Linux 2.6. NSA has also led the development of similar controls for the X Window System (XACE/XSELinux) and for Xen (XSM/Flask).

Network Associates Laboratories (NAI Labs)

The Secure Execution Environments group of NAI Labs implemented several additional kernel mandatory access controls, developed the example security policy configuration, ported to the Linux 2.4 kernel, contributed to the development of the Linux Security Modules kernel patch, and adapted the SELinux prototype to LSM.

The MITRE Corporation

The MITRE Corporation enhanced several common utilities to be SELinux-aware and developed application security policies and documentation for the Apache web server, Sendmail, and crond. They also developed a policy analysis tool (SLAT) and a policy generation tool (Polgen).

Secure Computing Corporation (SCC)

Secure Computing Corporation developed a preliminary security policy configuration for the system that was used as a starting point for NAI Labs' configuration. They also developed several new or modified utilities.

External Contributors to SELinux

Matt Anderson

Matt Anderson of HP developed support for labeled printing in the CUPS software.

Ryan Bergauer

Ryan Bergauer contributed the original policy configuration for Samba.

Bastian Blank

Bastian Blank contributed several code cleanups and 64bit fixes for checkpolicy and libselinux (joint with Joerg Hoh.)

Thomas Bleher

Thomas Bleher contributed several new policy files and many policy patches. He also contributed a patch for audit2allow. He also adapted the policy configuration for SuSE Linux, and ported and packaged the SELinux userspace packages for SuSE Linux (no longer being maintained).

Joshua Brindle

Joshua Brindle originally ported and packaged SELinux for the Hardened Gentoo project along with Chris PeBenito, and contributed several enhancements to the SELinux userland. Since joining Tresys Technology, Joshua has helped to develop the loadable policy module support, hierarchical type support, and the policy management server. Joshua is one of the maintainers of the core SELinux userland.

Russell Coker

Russell Coker originally ported and packaged SELinux for Debian, and made several enhancements to the SELinux userland. Russell was the largest single external contributor to the example policy configuration.

John Dennis

John Dennis of Red Hat developed the setroubleshoot tool for troubleshooting SELinux denials.

Janak Desai

Janak Desai of IBM developed pam_namespace support for polyinstantiated directories and the original form of multi-level crond support.

Ulrich Drepper

Ulrich Drepper contributed several patches to optimize and improve libselinux, including reworking the string table generation for the Flask definitions. He provided input and feedback on the SELinux patch for nscd and on the controls over executable memory.

Lorenzo Hernandez Garcia-Hierro

Lorenzo Hernandez Garcia-Hierro developed the execstack and execheap permission checks for controlling specific forms of executable memory based on input by Roland McGrath, Ulrich Drepper, and Ingo Molnar.

Darrel Goeddel

Darrel Goeddel of Trusted Computer Solutions was one of the developers of the MLS enhancements to SELinux. Darrel also contributed other fixes and enhancements to the SELinux kernel and userland, and helped develop support for context based audit filtering.

Carsten Grohmann

Carsten Grohmann contributed the original policy configuration for Amanda, and several patches to other policy files.

Steve Grubb

Steve Grubb of Red Hat helped integrate SELinux with audit, contributed cleanup patches for pam_selinux, libselinux, enhanced the boolean utilities and sestatus utility, and improved the checking in the libselinux AVC netlink code.

Ivan Gyurdiev

Ivan Gyurdiev developed support for managing and manipulating non-module policy components in libsepol, libsemanage and policycoreutils. He also contributed a number of patches to provide better abstraction and organization in libsepol. He contributed several policy cleanups and improvements, including the access_terminal macro, proper marking of shared objects that require text relocations, the mplayer policy, desktop policy, etc.

Serge Hallyn

Serge Hallyn of IBM contributed a number of bug fixes and cleanups to the SELinux userland and was one of the developers of the original labeled IPSEC implementation for SELinux.

Chad Hanson

Chad Hanson of Trusted Computer Solutions was one of the developers of the MLS enhancements to SELinux. He also contributed several fixes and enhancements for the policy compiler, such as node context and role dominance ordering, and various improvements to the SELinux userland and kernel code.

Joerg Hoh

Joerg Hoh contributed several code cleanups and 64bit fixes for checkpolicy and libselinux (joint with Bastian Blank.)

Trent Jaeger

Trent Jaeger of IBM (now at Penn State University) led the development of the original labeled IPSEC implementation.

Dustin Kirkland

Dustin Kirkland of IBM helped develop support for auditing of SELinux contexts.

Kaigai Kohei

Kaigai Kohei of NEC replaced the original Access Vector Cache (AVC) locking scheme with a RCU-based approach, which solved the major SELinux kernel scalability problem, and fixed other locking issues in the SELinux kernel code. He later optimized the SELinux ebitmap implementation to improve performance on AVC misses. He also developed SE PostgreSQL, and is one of the developers for the SE busybox project.

Paul Krumviede

Paul Krumviede contributed to the original IPSEC policy configuration.

Joy Latten

Joy Latten of IBM modified IPSEC tools for labeled IPSEC, and developed policy for labeled IPSEC. Joy also ported the SELinux testsuite to the LTP.

Tom London

Tom London contributed several policy patches and a fix for the audit2allow script.

Karl MacMillan

Karl MacMillan of Tresys Technology helped in developing the SETools policy analysis suite, the conditional policy (boolean) support and the loadable module support. Karl also developed the SEPolgen python module for policy generation. Karl served as one of the maintainers of the SELinux core userland.

Brian May

Brian May contributed several new domains and patches to the policy configuration. He back ported Russell Coker's work to Debian stable (woody) and maintained it.

Frank Mayer

Frank Mayer of Tresys Technology originally introduced policy to support policy management, contributed extensions to the policy compiler, and helped in developing conditional policy support. He was one of the original developers of the SETools policy analysis suite.

Todd Miller

Todd Miller of Tresys Technology helped to develop the final versions of the genhomedircon rewrite in libsemanage and the policy capability support in the policy compiler toolchain. Todd is one of the maintainers of the core SELinux userland.

Roland McGrath

Roland McGrath of Red Hat provided input and feedback on the AT_SECURE support, inheritance controls on execve, and controls over executable memory.

Paul Moore

Paul Moore of HP developed the NetLabel explicit packet labeling framework, including the support for using the Commercial IP Security Option with IPv4. He is the maintainer of the labeled networking implementation in Linux. He also developed the kernel support for a mechanism to allow SELinux controls to be extended in a backward compatible manner, and has worked on enhancing and unifying the network access controls.

James Morris

James Morris of Red Hat is a maintainer for the SELinux kernel code. He originally developed the LSM networking hooks and the first labeled networking implementation for SELinux (Selopt). He has developed a number of enhancements to SELinux, including new network access controls, the original context mount support, getpeercon support, SECMARK, etc.

Yuichi Nakamura

Yuichi Nakamura of Hitachi Software optimized the SELinux kernel code to reduce memory usage and to reduce read/write overhead, and he introduced an embedded build option for the SELinux userland. He was one of the developers for busybox SELinux support. He contributed the original policy configuration for BIND.

Greg Norris

Greg Norris contributed several new policy files and policy patches.

Eric Paris

Eric Paris of Red Hat is one of the maintainers of the SELinux kernel code and has contributed several enhancements to SELinux, including the sockcreate API, improved handling of the context mount options, handling of unknown classes and permissions, and protection for null derefs.

Chris PeBenito

Chris PeBenito originally worked with Joshua Brindle on porting and packaging SELinux for the Hardened Gentoo project. Chris is the SELinux team leader for Hardened Gentoo. At Tresys Technology, Chris developed and maintains the reference policy, which replaced the original NSA example policy. Chris has also contributed enhancements for the SELinux userland and kernel code, including the object class and permission discovery mechanism.

Red Hat

Red Hat has integrated full SELinux support into both its community-based Fedora distribution and its Red Hat Enterprise Linux distribution. This work included integration of the upstream SELinux into the distribution as well as the creation of SELinux-aware package management and other userspace support for SELinux, extensive policy work to address all applications in the distribution, and administrative tool support for SELinux. Red Hat has contributed back numerous enhancements to the SELinux kernel code, userland, and policy to the SELinux community.

Petre Rodan

Petre Rodan contributed several new policy files and many policy patches.

Shaun Savage

Shaun Savage helped in porting several of the SELinux utility patches to newer Red Hat base versions, and he contributed several domains to the example policy configuration.

Chad Sellers

Chad Sellers of Tresys Technology prototyped the polyinstantiated directory mechanism and developed the new kernel validation mechanism for checking class and permission definitions.

Rogelio Serrano Jr.

Rogelio Serrano Jr. contributed a patch to the SELinux security module to support automatic type transitions for pts nodes in devfs prior to the transition to udev.

Justin Smith

Justin Smith contributed a domain for ipchains, some patches to the existing policy configuration, and the initial version of the newrules script (later renamed to audit2allow).

Manoj Srivastava

Manoj Srivastava contributed to the SELinux userland, wrote the SELinux UML HOWTO, developed SELinux support for xdm, packaged the SELinux userland for Debian, and worked on SELinux integration into Debian for the etch release.

Tresys Technology

Tresys Technology developed the support for conditional policy (booleans), loadable policy modules, and policy management infrastructure. Tresys developed and maintains the reference policy, which replaced the original NSA example policy. Tresys has also developed and maintains a number of policy tools and frameworks, including the original SE Tools policy analysis suite, the SELinux Policy IDE (SLIDE), and the Cross Domain Solution (CDS) Framework IDE.

Michael Thompson

Michael Thompson of IBM enhanced newrole to support pam_namespace and rewrote most of newrole.

Trusted Computer Solutions

Trusted Computer Solutions (TCS) developed enhanced MLS support, enhanced audit support, and dynamic context transition support. TCS also significantly enhanced and improved the labeled IPSEC support, and provided assistance with designing forwarding controls. TCS contributed a number of fixes and enhancements to the SELinux kernel and userland code.

Tom Vogt

Tom Vogt developed patches for the Apache and MySQL policies, and developed a SubVersion policy.

Reino Wallin

Reino Wallin of Oribium Labs contributed some patches to the network policy configuration.

Dan Walsh

Dan Walsh of Red Hat ported the original SELinux userspace patches to the 2.6 SELinux API and to the Fedora Core packages. He is the maintainer of the targeted policy, and has contributed many policy files and fixes to the strict and targeted policies. He has developed SELinux patches for many additional userspace packages. He developed the system-config-selinux GUI.

Colin Walters

Colin Walters contributed build patches and cleanups for the 2.6-based SELinux, enhanced chcon to accept individual field options, enhanced setfiles to validate contexts against a binary policy, and contributed the policy regression testing patch and package metadata patch. He also enhanced the SELinux patch for dbusd and developed policy for dbusd.

Mark Westerman

Mark Westerman contributed several domains to the example policy configuration, and he developed the default user patch for Linux users who do not need to be distinguished by the SELinux policy.

David A. Wheeler

David A. Wheeler contributed several new domains to the policy configuration, provided feedback on the existing configuration, and made a number of helpful suggestions for improving the SELinux policy.

Venkat Yekkirala

Venkat Yekkirala of Trusted Computer Solutions enhanced the labeled IPSEC mechanism and helped design more comprehensive network access controls, including forwarding controls.

Catherine Zhang

Catherine Zhang of IBM developed interfaces for obtaining peer and datagram labels for labeled IPSEC.

Linux is a registered trademark of Linus Torvalds
MITRE is a registered trademark of The MITRE Corporation
NAI is a trademark of Networks Associates Technology, Inc.
Red Hat is a registered trademark of Red Hat, Inc. in the US and other countries.
IBM is a registered trademark of International Business Machines Corporation.
HP is a registered trademark of Hewlett-Packard Development Company, L.P.
Secure Computing is a registered trademark of Secure Computing Corporation