MAC implementation with definable policy (resend)
Ilmar S. Habibulin
ilmar at ints.ru
Wed Sep 29 16:23:29 GMT 1999
On Wed, 29 Sep 1999, Robert Watson wrote:
> Message-Id: <199909290158.SAA54039 at seal.engr.sgi.com>
> From: bitbug at seal.engr.sgi.com (James Buster)
> Date: Tue, 28 Sep 1999 18:58:16 -0700
> To: posix1e at cyrus.watson.org
> Subject: MAC implementation with definable policy
>
> One of the limitations of historic MAC implementations is that MAC
> policy, as it relates to the relationship between labels, is a fixed
> and immutable property. Here is my attempt to remedy that. What follows
> is an implementation of the Posix 1e MAC routines with customizable
> policy. Policy is defined, not by levels or categories (or in the case
> of integrity, grades and divisions), but by the operations that a
> subject with label1 is permitted on objects with label2 (which, of
> course, may be the same label). Any policy can be defined. The
> administrator is not bound by military-style semi-hierarchal label
> relationships. A sample mac policy in "mac_config" is provided.
If i understand this correctly - it is some sort of access matrix (acl?).
The main feature of MAC is control of information flows, to prevent
unauthorized information declassification(lowering the label). imho.
> This is a uuencoded tar file. Just extract and type "make". It should
> create the programs "test" and "macload". They show how the routines
> work and form a testbed for them as well. Debug output (-d) is especially
> useful for understanding what these routines do. Please try them out and
> send any comments, suggestions for improvement, or flames to this list.
FLAME!!! ;-) test core dumps after "policy size == 520", C compiler says
"invalid option: `-fullwarn'".
It's not MAC as i understand it, it does not reflect all aspects of
confidetial data processing. Look at http://www.compuniverse.com/rsbac/ -
maybe there you will find something common? There are many types of access
control implemented. RC is the most closest i suppose.
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list