--- Joshua Brindle <[EMAIL PROTECTED]> wrote: > Casey Schaufler wrote: > <snip> > > Smack provides mandatory access controls based on the label attached > > to a task and the label attached to the object it is attempting to > > access. Smack labels are deliberately short (1-7 characters) text > > strings. Single character labels using special characters are reserved > > for system use. The only operation applied to Smack labels is equality > > comparison. No wildcards or expressions, regular or otherwise, are > > used. > > > > A file always gets the Smack label of the task that created it. > > > > Smack defines and uses these labels: > > > > "*" - pronounced "star" > > "_" - pronounced "floor" > > "^" - pronounced "hat" > > "?" - pronounced "huh" > > > > The access rules enforced by Smack are, in order: > > > > 1. Any access requested by a task labeled "*" is denied. > > 2. A read or execute access requested by a task labeled "^" > > is permitted. > > 3. A read or execute access requested on an object labeled "_" > > is permitted. > > 4. Any access requested on an object labeled "*" is permitted. > > 5. Any access requested by a task on an object with the same > > label is permitted. > > 6. Any access requested that is explicitly defined in the loaded > > rule set is permitted. > > 7. Any other access is denied. > > > > Rules may be explicitly defined by writing subject,object,access > > triples to /smack/load. > > > > Smack rule sets can be easily defined that describe Bell&LaPadula > > sensitivity, Biba integrity, and a variety of interesting > > configurations. Smack rule sets can be modified on the fly to > > accomodate changes in the operating environment or even the time > > of day. > > > > > > How exactly can you describe a blp policy with this module?
Example below. Actually, you chose the absolute worst case example in a fully populated Bell&LaPadula sensitivity scheme. But real world experiance is that MLS systems very rarely use both levels and categories. A small number use just levels, which could be represented thus: TS:SBI TS rx TS:SBI S rx TS:SBI C rx TS:SBI U rx TS S rx TS C rx TS U rx S C rx S U rx C U rx and the majority use just categories, which requires no specification at all to provide separation. > How do you > define dominance relationships between levels and over categories > without a very complex policy? It's simple, but to do the full permutation set, not small. Let's say we want TS, S, and U for levels, with categories A and B. The specification would be: TS/A,B TS/A rx TS/A,B TS/B rx TS/A,B TS rx TS/A,B S/A rx TS/A,B S/B rx TS/A,B S rx TS/A,B U/A rx TS/A,B U/B rx TS/A,B U rx S/A,B S/A rx S/A,B S/B rx S/A,B S rx S/A,B U/A rx S/A,B U/B rx S/A,B U rx U/A,B U/A rx U/A,B U/B rx U/A,B U rx TS/A TS rx TS/A S/A rx TS/A S rx TS/A U/A rx TS/A U rx S/A S rx S/A U/A rx S/A U rx U/A U rx TS/B TS rx TS/B S/B rx TS/B S rx TS/B U/B rx TS/B U rx S/B S rx S/B U/B rx S/B U rx U/B U rx TS S rx TS U rx S U rx I'm not saying that the preceeding is pretty, but it isn't complicated. > My main concern is that I don't see any real security goals or use cases > that this can address, can you provide some use cases that make this a > viable security mechanism? Well, there's Bell and LaPadula in the common category usage, the occasional level usage, and the rare full level+cats scheme. Biba integrity is easy as well, just scroll back to the example and turn your monitor upside down. Another serious use is time based policy: at 5pm: # echo 'worker game x' > /smack/load at 8am: # echo 'worker game -' > /smack/load Those are simple examples of some of the more obvious uses. Thank you. Casey Schaufler [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
