MAC and hierarchical directory structure

Ilmar S. Habibulin ilmar at
Sat Mar 4 05:45:27 GMT 2000

How should i implement MAC in hierarchical directory structure? Now i have
write permision only if OBJ_MACLABEL dominates SUBJ_MACLABEL. This would
help SUBJ to create any file with labels from SYSLOW to OBJ_MACLABEL. But
there is another rule - reading of directory contents. SUBJ can read
directory only if SUBJ_MACLABEL dominates OBJ_MACLABEL. So the valuable
work(read/write) is possible only if SUBJ_MACLABEL is equal to
OBJ_MACLABEL. So this makes imposiible propper use of /tmp and other same
directories. I implement extended attribute(flag), that overides write
permision, so SUBJ can create files with any labels in this directory - am
i right or wrong?

To Unsubscribe: send mail to majordomo at
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list