next up previous contents
Next: User configuration Up: Policy Configuration Language Previous: RBAC configuration   Contents

MLS configuration

The mls file contains the configuration information for the multi-level security (MLS) policy. This policy is an extension of the Bell LaPadula (BLP) model of multi-level security in which each subject and object are labeled with a range of levels. If a subject is multi-level, i.e. its low level differs from its high level, then it is trusted to handle data at any level in its range while maintaining proper separation among the different levels. Multi-level objects may be used for the private state of multi-level subjects and for data sharing between multi-level subjects.

Figure: MLS declarations
\begin{figure}\begin{center}
\begin{footnotesize}
\begin{verbatim}sensitivity ...
...l u;
level ts:nato,usuk;\end{verbatim}\end{footnotesize}\end{center}\end{figure}

The MLS configuration begins by declaring the sensitivities and defining the dominance ordering for them. It then declares the categories, and defines levels by specifying what categories may be associated with each sensitivity. Sample MLS declarations are shown in Figure 8.

Figure: MLS base permissions
\begin{figure}\begin{center}
\begin{footnotesize}
\begin{verbatim}class tcp_so...
...m : { readby writeby }
}\end{verbatim}\end{footnotesize}\end{center}\end{figure}

After the declarations, each access vector permission is mapped to a set of MLS base permissions (read, write, readby, and writeby). The read MLS base permission is only granted if the high level of the source SID dominates the high level of the target SID. The write MLS base permission is only granted if the target SID is single-level and it dominates the low level of the source SID, or if the range of the target SID is a subset of the range of the source SID. The latter restriction on writes to multi-level targets protects the integrity of such objects.

The readby and writeby MLS base permissions have the same requirements as the read and write MLS base permissions, respectively, with the source and target SIDs exchanged to reflect the target SID acting on the source SID. An access vector permission is only granted if all of the MLS base permissions associated with it are granted. Sample MLS base permission mappings are shown in Figure 9.

The current policy configuration language does not support specification of MLS range transition rules. A MLS range transition rule would specify the range of a new object based on the range of the creating subject and the range of a related object. By default, the MLS range of a process does not change across an execve, and the MLS range of an object is inherited from its creator.

The current policy configuration language also does not support specification of MLS range member rules for polyinstantiated objects. The MLS range of the member is currently always inherited from the process. Hence, a separate member is created for each distinct MLS range that accesses the object.


next up previous contents
Next: User configuration Up: Policy Configuration Language Previous: RBAC configuration   Contents