MAC question again
Casey Schaufler
casey at sgi.com
Tue Sep 28 16:56:22 GMT 1999
Ilmar S. Habibulin wrote:
>
> Surfing through the web mac pages, found by altavista, i've found some mac
> implementation details such as number of hierarchical and non-hierarchical
> categories. So my question is - what is non-hierarchical categories and
> how they are used?
In the Bell & LaPadula model categories are represented by sets.
For a label L1 to dominate (e.g. be able to read) a label L2
level(L1) >= level(L2) &&
CategorySet(L2) is a subset of CategorySet(L1)
For a label L1 to equal a label L2
level(L1) == level(L2) &&
CategorySet(L2) is the same set as CategorySet(L1)
Note that if L1 dominates L2 and L2 dominates L1 they are equal.
Also note that it is possible for neither to dominate the other,
in which the labels are said to be incomperable.
Categories are typically used to seperate projects. For example,
let's say you're General Motors, with several divisions including
pontiac, GMC, cadillac, and oldsmobile. You bought a Really Big
system to do failure stress analysis which you want the divisions
to share, but you don't want them sharing their data. What you
do is put each division in a seperate category, thus preventing
them from accessing each other's data in a way that they can't
change.
>
> PS. As i understand my mac implementation is lame. :( There are no
> non-hierarchical categories there. Only levels. I thought that these
> non-hierarchical categories maybe somehow emulated(?) by DAC groups.
--
Casey Schaufler voice: (650) 933-1634
casey at sgi.com fax: (650) 933-0170
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list