SEDarwin is a port of the TrustedBSD Mandatory Access Control (MAC) Framework to Apple’s Darwin operating system platform, along with a Type Enforcement policy based on SELinux. SEDarwin is still experimental, but currently allows the enforcement of mandatory process and file protections under Darwin 8.8 (Mac OS X 10.4.8) on Apple PowerPC hardware.
The TrustedBSD MAC Framework provides support for loadable access control policy modules. While this required modification of the operating system kernel, the modifications maintain compatibility with existing user space applications and frameworks. The result is a kernel that is able to provide features of a trusted operating system and still allow Apple’s Mac OS X graphical environment to run unmodified.
The MAC Framework provides general-purpose labeling of kernel subjects/objects, centralized policy management, and notification of security-relevant events. The architecture of the SELinux policy module made it ideal to port to other platforms. This project was able to quickly port the user space components and the core of the in-kernel policy enforcement services to Darwin and implement the interfaces that tie it to the MAC Framework.
The download section provides access to regular snapshots from the source tree. The compressed tar files contain the modified Darwin kernel sources, the SEDarwin policy module, additional sample MAC policy modules, and directions for installing it on a Mac OS X 10.4.8 system.