posix mac

Ilmar S. Habibulin ilmar at ints.ru
Thu Apr 15 14:53:37 GMT 1999 

On Wed, 14 Apr 1999, Casey Schaufler wrote:

Ok. I will begin with my MAC implementation concept.
User have some access level, which describes max level of sensivity of
information that user can read/write. But we can't use this level as
starting point for applaying MAC rulez. Because if we will do it, user
will work only in its' max level or will have uncontrolled access to
write operations. So he can write sensitive data as non-sensitive.
Because of that i have second level, which is called current. At the very
beginning user have current level equal to system low. His current level
may be encreased while work to the value of his max level. So we have
floating levels.

> > My thought about sockets and MAC label - process, which wants to make
> > network connection must have MAC label equal to System Low(am i right?).
> 
> You need to make a concious decision about the MAC label to use
> with sockets based on the particular network configuration involved.
> Some examples:
> 
> The "Maryland" network is kept internal to a building. All of
> the systems on the network are running the same, MAC enabled OS.
> These systems pass security attribute information to one another
> in IP options in the IP header, and can be counted on to do so
> consistantly. There's no reason that delivery to sockets can't
> be constrained on a per-socket basis.
I don't know what the "Maryland" network is, but what do you say about
possibility of writing to the socket from different processes which have
different current level? What level should socket have? Or how would
change current level of recieving process or processes? 

> The "Colorado" configuration consists of a network on which all the
> information is considered secret. All internet domain sockets should
> be treated as secret.
I think, that MAC should be implemented inside OS kernel, not by
administrative steps.

> > You ask me why? Because, if we will look at such complex thing as Desktop
> > network connections. So, process credits/auth info/crypt keys/etc - maybe
> > passed and used by network layer. MAC can't. That's my point.
> > Agreed?
> Nope. Read the Trusted Irix FER (on http://www.radium.ncsc.mil/tpep)
I'm trying. ;-)

> The X server runs (on that version of the system) as the user, with
> the user's MAC label. The server would only connect to processes
> running at that MAC label. It worked, however, unmodified.

                     X Server
                   ^|       |^
                   ||       ||
                   ||       ||
              --1--+|       |+--3----
  X Client A        |       |         X Client B
              <-2---+       +---4--->

Let's consider that when process recieves some classified data from socket
its current level increases. So it can't recieve unclassified data.
oh, sorry - i just confused and lost my thread clue. :( But there was some
reason, that forsed me to limit sockets operations. I will try to remember
them.

> > Sources are commercial secret? ;-)
> So far, but you never know ....
Sorry, i don't understand what are you saying.

> > ... And i just don't figure out what TSIG is. Some inet
> > group or what?
> The Trusted Systems Interoperability Group (TSIG) was the
> industry forum tasked with getting everybody's B1/CMW systems
> to talk with each other. DEC, HP, Sun, SGI, Cray, SecureWare, ...
And maybe FreeBSD? ;-) Do they have B1 systems? And they are sertified?

> > Oh. Shared memory is a verry dangerous thing. (and mmap too). For shared
> > memory i propose system low level, and for mmap - system low only for
> > writing.
> System V IPC objects get the MAC of their creators. Otherwise,
> they're useless.
Every newly created object gets current MAC level of their creators.But
shared memory and mmap have uncontrolled posibilities of write operations.
I have some thoughts how to control them, but i'm not such a good system
programmer to implement it.

> > My implementation is - label of device represents max sensivity label of
> > data, that can be passed through device. Like it?
> But what label do you use for access checks?
Device is labeled with one level. And i'm using current process level for
checking.

> Directories usually get treated like any other sort of files,
> with debate centered around how to have a heirarchy which
> has directories with different labels. Usually it's done by
> allowing users to upgrade their directories.
??? What to do? What do you mean by word 'upgrade' - encrease dir label?

> > >       what label to give audit trails
> > I think it's admins job to think about it. Or i just got something wrong?
> The question is how to give an auditor the rights to see the audit
> data without giving her the rights to see all the user's data.
What users data??? I thougth that auditor must have access to all logged
info. I'm wrong?

> > >       what label to give system data
> > What is system data? I think that inside system(kernel) data shouldn't
> > have any MAC restrictions, only MAC labels. Or i'm wrong again?
> What should the MAC be on /etc/passwd? how about /etc/shadow?
> /var/adm/SYSLOG?
/etc/passwd - System Low. /etc/shadow - System High. ;-)

> > >       how to represent "System High"
> > It's the higest MAC label in the system?
> Right, but if you allow thousands of categories, this can be tricky.

More information about the posix1e mailing list