posix mac

[Casey Schaufler]

Ilmar S. Habibulin wrote:

> My thought about sockets and MAC label - process, which wants to make
> network connection must have MAC label equal to System Low(am i right?).

You need to make a concious decision about the MAC label to use
with sockets based on the particular network configuration involved.
Some examples:

The "Maryland" network is kept internal to a building. All of
the systems on the network are running the same, MAC enabled OS.
These systems pass security attribute information to one another
in IP options in the IP header, and can be counted on to do so
consistantly. There's no reason that delivery to sockets can't
be constrained on a per-socket basis.

The "Colorado" configuration consists of a network on which all the
information is considered secret. All internet domain sockets should
be treated as secret.

> You ask me why? Because, if we will look at such complex thing as Desktop
> Environments in X Window System, we will saw a huge amount of network
> operations. Now we put MAC rules on them. So what we have? If processes
> are communicating with each other - that's ok. But if processes are
> communicating with some server process, like X Server - it becomes a
> problem. I had undetermined crashes while trying to implement MAC over
> network connections. So, process credits/auth info/crypt keys/etc - maybe
> passed and used by network layer. MAC can't. That's my point.
> Agreed?

Nope. Read the Trusted Irix FER (on http://www.radium.ncsc.mil/tpep)
The X server runs (on that version of the system) as the user, with
the user's MAC label. The server would only connect to processes
running at that MAC label. It worked, however, unmodified.


> Sources are commercial secret? ;-)

So far, but you never know ....


> ... And i just don't figure out what TSIG is. Some inet
> group or what?

The Trusted Systems Interoperability Group (TSIG) was the
industry forum tasked with getting everybody's B1/CMW systems
to talk with each other. DEC, HP, Sun, SGI, Cray, SecureWare, ...

> Oh. Shared memory is a verry dangerous thing. (and mmap too). For shared
> memory i propose system low level, and for mmap - system low only for
> writing.

System V IPC objects get the MAC of their creators. Otherwise,
they're useless.

> My implementation is - label of device represents max sensivity label of
> data, that can be passed through device. Like it?

But what label do you use for access checks?

> >       /tmp
> Directories - very interesting files. I had to move them to "special
> group", not like ordinary files. So you can have access to directory and
> its content if you have appropriate access label. But this directories can
> hold files of any label. So /tmp - System High. ;-)

Directories usually get treated like any other sort of files,
with debate centered around how to have a heirarchy which
has directories with different labels. Usually it's done by
allowing users to upgrade their directories.

> >       what label to give audit trails
> I think it's admins job to think about it. Or i just got something wrong?

The question is how to give an auditor the rights to see the audit
data without giving her the rights to see all the user's data.

> 
> >       what label to give system data
> What is system data? I think that inside system(kernel) data shouldn't
> have any MAC restrictions, only MAC labels. Or i'm wrong again?

What should the MAC be on /etc/passwd? how about /etc/shadow?
/var/adm/SYSLOG?

> >       how to represent "System High"
> It's the higest MAC label in the system?

Right, but if you allow thousands of categories, this can be tricky.

-- 

Casey Schaufler                         voice: (650) 933-1634
casey at sgi.com                           fax:   (650) 933-0170
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message