[redhat-lspp] Getting rid of multilevel objects
Chad Hanson
chanson at TrustedCS.com
Wed Jul 5 19:51:09 UTC 2006
MLS Systems such as PitBull, HP CMW, and DIGITAL MLS+ supported
at least ranged directories where files of different SLs could be written
into a single directory. These directories have a minimum and maximum
SL which are used to arbitrate MLS write access. Many of these had
ranged devices as well to handle things such as the null device.
-Chad
> -----Original Message-----
> From: Casey Schaufler [mailto:casey at schaufler-ca.com]
> Sent: Monday, July 03, 2006 3:45 PM
> To: Klaus Weidner; lspp-list
> Subject: Re: [redhat-lspp] Getting rid of multilevel objects
>
>
>
>
> --- Klaus Weidner <klaus at atsec.com> wrote:
>
> > Hello,
> >
> > currently the MLS policy supports multilevel objects
> > (using a range where
> > the upper level is not equal to the lower level),
> > for example
> > directories, sockets, and character devices.
>
> Unix MLS systems address these cases thus:
>
> Directories: To modify a directory (e.g. create
> a directory entry) you must be at the same MLS
> label as the directory (which has only one label)
> and the new object gets the label of the process.
>
> Trusted Solaris adds a mkupdir(2)* syscall that
> takes a label as a parameter and sets the label
> of the new directory to that passed, assuming a
> set of conditions are met. These conditions
> include that the new label dominate the process
> label, and that the user is cleared for it.
>
> Trusted Irix allows a user to relabel an
> existing directory, again under constraints,
> including that the user is cleared for the
> new label, it dominates the old label, and
> that the directory is empty.
>
> Sockets: Sockets get the label of the process,
> period. Privilege may be used to modify a
> variety of the aspects of incoming and outgoing
> packet access. The TSIX api proved quite handy.
>
> Devices: Since /dev/tty, ptys, null, zero, all
> demonstrate quirky behaviors they are treated
> independently. Trusted Irix takes advantage of
> it's label type scheme to address these, while
> Trusted Solaris pretty much hard codes each as
> a special case.
>
> The Orange Book talks about label ranges on
> file systems, not individual objects, and on
> devices in the context of the labels they may
> have, but only one at a time. I would be
> interested to see how they would be argued to
> satisfy the B&L sensitivity requirements.
>
> -----
> * I think that's the name. It's been a while.
>
> Casey Schaufler
> casey at schaufler-ca.com
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
>
More information about the redhat-lspp
mailing list