MAC BIBA/MLS Compartments

ASV asv at inhio.net
Thu Feb 1 16:41:12 UTC 2018 

Hi everyone,
I'm experiencing something which is making me doubting completely about
my understanding of compartments through BIBA and MLS models.

I'm working in /home/shared
# setpmac biba/equal,mls/equal ls -lZ /home/
drwxrwxrwt  2 root     wheel    biba/equal,mls/equal       512 Feb  1
16:43 shared
......

playing with file "class2" within "shared"
# setpmac biba/equal,mls/equal ls -lZ /home/shared/
total 24
-rw-rw-r--  1 lld      wheel  biba/10:1+2,mls/10:1+2      42 Jan 30
20:56 class0
-rw-rw-r--  1 asv  wheel  biba/10:1+2+3,mls/10:1+2+3  31 Jan 31 10:49
class1
-rw-rw-r--  1 asv  wheel  biba/10:1+2+3,mls/10:1+2+3 106 Feb  1 17:05
class2

which contains a line for testing
# setpmac biba/equal,mls/equal cat /home/shared/class2 
classified content

working as user asv
$ getpmac
biba/10:1+2+3(8:1+2-12:1+2+3+4),mls/10:1+2+3(8:1+2-
12:1+2+3+4),partition/5

$ setpmac biba/12:1+2+3,mls/8:1+2 echo "blablabla2" >> shared/class2
$ setpmac biba/12:1+2+3,mls/8:1+2+3 echo "blablabla3" >> shared/class2
$ setpmac biba/12:1+2+3,mls/8:1+2+3+4 echo "blablabla4" >>
shared/class2
$ setpmac biba/12:1+2+3,mls/8:1+2+3+4+5 echo "blablabla5" >>
shared/class2
biba/12:1+2+3,mls/8:1+2+3+4+5: Operation not permitted 	(ok as
subject isn’t in compartment 5)
$ setpmac biba/12:1+2+3+4,mls/8:1+2+3+4 echo "blablabla5" >>
shared/class2
$ setpmac biba/12:1+2,mls/8:1+2+3+4 echo "blablabla6" >> shared/class2
$ setpmac biba/12:1,mls/8:1+2+3+4 echo "blablabla7" >> shared/class2
biba/12:1,mls/8:1+2+3+4: Operation not permitted	(WHY?! if
"biba/12:1+2" worked why "12:1" failed?)
$ setpmac biba/12:1+2,mls/8:1+2+3+4 echo "blablabla7" >> shared/class2
$ setpmac biba/12:1+2,mls/8:1+2+3 echo "blablabla8" >> shared/class2
$ setpmac biba/12:1+2,mls/8:1+2 echo "blablabla9" >> shared/class2
$ setpmac biba/12:1+2,mls/8:1 echo "blablabla10" >> shared/class2
biba/12:1+2,mls/8:1: Operation not permitted		(again,
why?)
$ setpmac biba/12:1+2+3,mls/8:1 echo "blablabla10" >> shared/class2
biba/12:1+2+3,mls/8:1: Operation not permitted		(?)
$ setpmac biba/12:1+2+3+4,mls/8:1 echo "blablabla10" >> shared/class2
biba/12:1+2+3+4,mls/8:1: Operation not permitted	(?)

I feel like blind. The idea of the LABEL:GRADE it's fine, I see
consistency with the "no write up" and "no read down" for BIBA and the
"no read up" and "no write down" for MLS according to the assigned
subject and grade. But this compartmentalization still looks like a
mistery to me. As documentation on this subject (especially
compartments) and its implementation on FreeBSD is largely insufficient
(to be very politically correct) I need to try to bother somebody
around here. :)

Some of mine highly likely wrong assumptions:
1) numbers in compartments are not representing an order of importance
(2>1, 3<4) but are only identifiers
2) an object which is labeled "biba/10:1+2,mls/10:1+2+3" should be
accessed by a subject which not only matches the r/w requirements
dictated by the GRADE but which belongs to at least one of the
respective BIBA/MLS compartments the object belongs to. So subject
"biba/9:1+2,mls/11:1+2+3"
should be able to read objects labeled as follows:
"biba/10:1+2,mls/10:1+2+3"
"biba/10:1+2,mls/10:3"
"biba/10:1,mls/10:1+2"
"biba/10:1+2,mls/10:1"
3) the BIBA declaration "biba/10:1+2+3(8:1+2-12:1+2+3+4)" states that:
- biba grade is 10 and has default access for compartments 1, 2 and 3
- biba grade 8 has access to compartments 1 and 2
- biba grade from 9 to 11 (which aren't explicitly declared) fall back
to default compartments 1,2 and 3
- the above biba declaration allows to access an object which is at
least in one of the compartments of the respective labels, if the GRADE
actually allows that

I know it's a tricky matter and MAC on FreeBSD is kind of a very niche
topic but I have to try.
MANY thanks in advance to whoever would help me on this.

More information about the freebsd-questions mailing list