[redhat-lspp] Getting rid of multilevel objects

Chad Hanson chanson at TrustedCS.com
Wed Jul 5 19:51:09 UTC 2006 

MLS Systems such as PitBull, HP CMW, and DIGITAL MLS+ supported 
at least ranged directories where files of different SLs could be written
into a single directory. These directories have a minimum and maximum
SL which are used to arbitrate MLS write access. Many of these had
ranged devices as well to handle things such as the null device.

-Chad  

> -----Original Message-----
> From: Casey Schaufler [mailto:casey at schaufler-ca.com]
> Sent: Monday, July 03, 2006 3:45 PM
> To: Klaus Weidner; lspp-list
> Subject: Re: [redhat-lspp] Getting rid of multilevel objects
> 
> 
> 
> 
> --- Klaus Weidner <klaus at atsec.com> wrote:
> 
> > Hello,
> > 
> > currently the MLS policy supports multilevel objects
> > (using a range where
> > the upper level is not equal to the lower level),
> > for example
> > directories, sockets, and character devices.
> 
> Unix MLS systems address these cases thus:
> 
> Directories: To modify a directory (e.g. create
> a directory entry) you must be at the same MLS
> label as the directory (which has only one label)
> and the new object gets the label of the process.
> 
> Trusted Solaris adds a mkupdir(2)* syscall that
> takes a label as a parameter and sets the label
> of the new directory to that passed, assuming a
> set of conditions are met. These conditions
> include that the new label dominate the process
> label, and that the user is cleared for it.
> 
> Trusted Irix allows a user to relabel an
> existing directory, again under constraints,
> including that the user is cleared for the
> new label, it dominates the old label, and
> that the directory is empty.
> 
> Sockets: Sockets get the label of the process,
> period. Privilege may be used to modify a
> variety of the aspects of incoming and outgoing
> packet access. The TSIX api proved quite handy.
> 
> Devices: Since /dev/tty, ptys, null, zero, all
> demonstrate quirky behaviors they are treated
> independently. Trusted Irix takes advantage of
> it's label type scheme to address these, while
> Trusted Solaris pretty much hard codes each as
> a special case.
> 
> The Orange Book talks about label ranges on
> file systems, not individual objects, and on
> devices in the context of the labels they may
> have, but only one at a time. I would be
> interested to see how they would be argued to
> satisfy the B&L sensitivity requirements.
> 
> -----
> * I think that's the name. It's been a while.
> 
> Casey Schaufler
> casey at schaufler-ca.com
> 
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
>

More information about the redhat-lspp mailing list