Abstract: As the basis of various applications, operating systems cannot avoid more and more security threats. There are two main access control schemes in Linux system, i.e. traditional simple discretionary access control and capabilities. They are not perfect enough to protect system against attacks. From access control and privilege division, security policy models are designed and implemented as loadable kernel modules to secure Linux. Although many security policies have been proposed already until now, different security policies are required for system under different environments. It is necessary for unified framework to combine these various security policies and adjust the priority of policies with different application requirements appropriately. By this way, the adaptivity of system can be improved. SECIMOS (SECurity in Mind Operating System), as an unified framework supporting multiple security policy modules simultaneously, allows to load different modules selectively when trading off between security and performance. This framework is based on LSM (Linux Security Module). However, LSM does not provide policies to determine the call sequence of multiple modules and mechanisms to implement the non-access control modules. In SECIMOS, these problems are solved by assigning metapolicy and extending LSM. In this paper, we analyze the restrictions of two main security schemes in Linux system. Then SECIMOS architecture is outlined; security policy model and security modules are introduced respectively. The way to combine these modules in LSM is described. The performance of SECIMOS and the comparison with other security projects are discussed at last.

Key words: secure operating system, access control, audit, Linux Security Module, security policy model