MAC and hierarchical directory structure

[Casey Schaufler]

"Ilmar S. Habibulin" wrote:
> 
> How should i implement MAC in hierarchical directory structure? Now i have
> write permision only if OBJ_MACLABEL dominates SUBJ_MACLABEL. This would
> help SUBJ to create any file with labels from SYSLOW to OBJ_MACLABEL. But
> there is another rule - reading of directory contents. SUBJ can read
> directory only if SUBJ_MACLABEL dominates OBJ_MACLABEL. So the valuable
> work(read/write) is possible only if SUBJ_MACLABEL is equal to
> OBJ_MACLABEL. So this makes imposiible propper use of /tmp and other same
> directories. I implement extended attribute(flag), that overides write
> permision, so SUBJ can create files with any labels in this directory - am
> i right or wrong?

There have been two approaches to this problem. The first uses a
special system call, something like mkdirwithmac(path, mac_label)
which creates a new directory at the specified mac label. The second
scheme allows unprivileged users to set the mac on a directory
under certain conditions.

In all cases, the process must be at the same mac as the containing
directory. Also, the new label must dominate the label of the
containing directory. Where possible, the user's clearance is checked
to ensure that the new label is contained therein. Checking a user's
clearance is usually only done in applications, as it's not often
considered an appropriate process attribute.

Changing the label on an existing directory is sometimes restricted to
empty directories. In other cases, the entire heirarchy under the
directory is changed as well.

Either scheme is defensible. The first requires programs be written
mac aware. The second requires a smart command to set the mac label
on directories.

-- 

Casey Schaufler				Manager, Trust Technology, SGI
casey at sgi.com				voice: (650) 933-1634
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message