[redhat-lspp] Getting rid of multilevel objects
LC Bruzenak
lenny at bruzenak.com
Thu Jul 6 14:10:08 UTC 2006
On Thu, 2006-07-06 at 08:10 -0400, Knoke, Jim (US SSA) wrote:
> Can anyone explain why MLS systems tend to require objects to dominate
> their containing directory? Is it just to simplify covert channel
> analysis? Is it just a usability issue in that a user may get confused
> if s/he can set a working directory, but then potentially not be able
> to
> read ".."?
>
Say a directory = SECRET. That means the dir file is labeled SECRET.
Quite possibly because the filenames are themselves SECRET.
To be able to read with no privilege requires dominance. To be able to
write w/o privs requires equality.
Therefore, the requirement matches the MAC enforcement.
>
> Are regrades of non-empty directories typically disallowed just
> because of the complexity of locking all the contained objects during
> the regrade operation?
>
I believe that is one reason. Quite possibly could break some code if
the writer assumed that the directory was always going to allow
syslo->syshi files and later someone changed the directory level up.
In practice it was seldom done.
Usually (but not always) directories are either multilevel
(polyinstantiated) or syslo. In cases where they are not either of those
they are either well-known and static or else labeled when created.
LCB.
--
LC Bruzenak
lenny at bruzenak.com
More information about the redhat-lspp
mailing list