Mandatory Access Control: Silver Bullet or Kafkaesque Nightmare?, Part 1

Given the recent flood of new worms and viruses infecting the Net, it

is worth noting that systems designed to be impervious to these types

of threats are available. But are they really appropriate for

developing and serving Web sites? Yes and no.

A concept called Mandatory Access Control (MAC) makes many of these

secure operating systems different. Though it has been around since the

80's, MAC is still (literally) an obscure bureaucratic methodology not

easily explained in plain language.

What is Mandatory Access Control?

The relationships are divvied up between subjects and objects. The

subjects can be thought of as users, or anything accessing an object.

An object is the process, file, or piece of information being accessed.

All subjects are assigned domains, which can be thought of as security

clearances, and all objects are assigned types, which can be thought of

as security classifications. Security policies are created based upon

the sensitivity of the object not at the discretion of the user that

receives it.

The subject (a user, process, or administrator) may be able to access a

file, but, because the file retains its classification label, they may

not be able to transfer it to another user, or use any system utilities

to copy it from the system. The system recognizes the label on the

file, and will not allow the file to be read or otherwise processed by

a user or process of lesser clearance. The system will check the file

for its classification, and deny another process access to the file

unless the process has adequate clearance.

How is this different from regular Unix permissions?

Any user with ownership of the file can modify regular Unix

permissions. Regardless of the information's sensitivity in a file, it

can be copied, e-mailed, or read by a user if the file's permissions

(read, write, execute, relative to the user, their group, and Everyone)

allow it.

In a MAC system, if a file has been given a specific level of

sensitivity (or context), then the system will not allow certain users,

programs, or even administrators to perform operations on the file.

Though this may sound like a subtle difference, imagine you were able

to set a log file's sensitivity higher than that of the mailer program.

Though you could read, write, and copy the file as needed, not even an

administrator could email the file to another system because the mailer

lacks the clearance to handle information with your file's level of

classification. It is a shift in perspective from using users

like "nobody", "uucp", "www" and their accompanying group ID's to

separate duties on the system, to requiring that each file on the

system have authoritative security information about itself.

Next Week: Mandatory Access Control, Part 2: Enter SELinux

What’s wrong? The new clean desk test
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies