DOMINANCE(5)DOMINANCE(5)NAMEdominance - MAC label comparison policy
SYNOPSIS
#include <sys/mac_label.h>
DESCRIPTION
On systems with mandatory access control (MAC) enabled, the set of all
possible Mandatory Access Control (MAC) labels constitutes a lattice,
where a lattice is defined to be a partially ordered set for which there
exists, for every pair of elements in the set, a greatest lower bound
(GLB) and a least upper bound (LUB). A partial ordering over a set is
defined by a relation that has the following three properties:
reflexive, antisymmetric, transitive. The reflexive property states that
every element in the set is "related" to itself. The antisymmetric
property states that given two elements in the set, if the first element
is "related" to the second element, and the second element is "related"
to the first element, then the two elements are necessarily equal. The
transitive property states that given three elements in the set, if the
first element is "related" to the second element, and the second element
is "related" to the third element, then the first element is also
"related" to the third element.
A simple example of this is the improper subset relation:
Given a set A, A is an improper subset
of A
Reflexive:
Given two sets A and B, if A is an
improper subset of B and B is an
improper subset of A, then A and B are
equal (i.e., the same set).
Antisymmetric:
Given three sets A, B, and C, if A is an
improper subset of B and B is an
improper subset of C, then A is an
improper subset of C.
Transitive:
dominance represents the relation providing the partial ordering over the
lattice formed by the set of all possible MAC labels. Hence, the
dominance relation upholds the three properties described above over the
set of all possible MAC labels.
Page 1
DOMINANCE(5)DOMINANCE(5)
A MAC label is defined as follows:
structure mac_label{ unsigned char ml_msen_type;
unsigned char ml_mint_type;
unsigned char ml_level;
unsigned char ml_grade;
unsigned short ml_catcount;
unsigned short ml_divcount;
unsigned short ml_list[MAC_MAX_SETS]; }
A MAC label comprises both a Mandatory Sensitivity (MSEN) label portion
and a Mandatory Integrity (MINT) label portion. With respect to the above
definition of MAC label; the MSEN label portion includes 1) ml_msen_type,
2) ml_level, 3) ml_catcount, and 4) the first ml_catcount elements in
ml_list[MAC_MAX_SETS], while the MINT label portion includes 1)
ml_mint_type, 2) ml_grade, 3) ml_divcount, and 4) the last ml_divcount
elements in ml_list[MAC_MAX_SETS].
The determination of whether one MAC label dominates another MAC label
depends at the highest level simply upon whether the MSEN label portions
compare as required and whether the MINT label portions compare as
required. By definition, for any two MAC labels A and B, A dominates B if
and only if the MSEN label portion of A dominates the MSEN label portion
of B and the MINT label portion of A is dominated by the MINT label
portion of B. However, comparison of MSEN label portions and MINT label
portions is more complicated, and may take one of two different paths.
Specifically, given two MAC labels A and B: the ml_msen_types are read
and based on their values either an MSEN dominance determination is made
or it is determined that comparison of ml_levels, ml_catcount, and
ml_lists is required; the ml_mint_types are read and based on their
values either a MINT dominance determination is made or it is determined
that comparison of ml_grades, ml_divcount, and ml_lists is required.
Specifically, a MAC label includes an MSEN label type as part of the MSEN
label portion and a MINT label type as part of the MINT label portion.
The predefined set of valid system MSEN label type values is: msenadmin,
msenequal, msenhigh, msenmldhigh, msenlow, msenmldlow, msenmld, and
msentcsec. The predefined set of valid system MINT label type values is:
mintequal, minthigh, mintlow and mintbiba. Each of the MSEN label type
set and the MINT label type set constitute a lattice, in that there
exists a fully defined comparison relation between each pair of MSEN
label types and each pair of MINT label types, i.e. either they are
equal, one dominates the other, they are non-comparable, or further
comparison of the other relevant component fields is required.
In particular, for all MAC labels containing the following MSEN label
types, msenadmin, msenequal, msenhigh, msenmldhigh, msenlow and
msenmldlow, the comparison relation between the MSEN label portions of
two MAC labels is entirely dependent upon only the MSEN label types. In
addition, for all MAC labels containing the following MINT label types,
mintequal, minthigh and mintlow, the comparison relation between the MINT
label portions of two MAC labels is entirely dependent upon only the MINT
Page 2
DOMINANCE(5)DOMINANCE(5)
label types. In other words, given two MAC labels A and B, where either
comprises one of the MSEN label types and one of the MINT label types
referenced above, the comparison relation between the two labels is fully
defined.
Additionally, in the case where a MAC label contains an MSEN label type
of msenmld or msentcsec there must be included the level and the
(possibly empty) category set component fields as part of the MSEN label
portion. Analogously, in the case where a MAC label contains a MINT label
type of mintbiba there must be included the grade and (possibly empty)
division set component fields as part of the MINT label portion. Then
given two MAC labels A and B, there are three possible situations that
result:
1.) Both MAC labels comprise one of the MSEN label types msenmld or
msentcsec and the MINT label type mintbiba.
2.) Both MAC labels comprise one of the MSEN label types msenmld or
msentcsec along with comparable MINT label types (not mintbiba),
3.) Both MAC labels comprise the MINT label type mintbiba along with
comparable MSEN label types (not msenmld or msentcsec).
In all three situations, the comparison relation between the two MAC
labels is dependent upon actual comparison of the level, category set,
grade, and division set component fields.
Given MAC labels A and B: A[S] and B[S] represent the MSEN label portions
of A and B respectively
A[I] and B[I] represent the MINT label portions
of A and B respectively
So that:
If A[S] is an element in the set {msenadmin, msenequal, msenhigh,
msenmldhigh, msenlow, msenmldlow} and
A[I] is an element in the set {mintequal, minthigh, mintlow}
or
B[S] is an element in the set {msenadmin, msenequal, msenhigh,
msenmldhigh, msenlow, msenmldlow} and
B[I] is an element in the set {mintbiba, minthigh, mintlow}
then a dominance determination is possible based solely on the
MSEN and MINT label types.
If A[S], B[S] are elements in the set {msenmld, msentcsec}
then comparison of the ml_level fields, the ml_catcount fields,
and the first ml_catcount elements of the ml_list fields is
required.
Page 3
DOMINANCE(5)DOMINANCE(5)
If A[I], B[I] are elements in the set {mintbiba}
then comparison of the ml_grade fields, the ml_divcount fields,
and the last ml_divcount elements of the ml_list fields is
required.
And If A[S], B[S] are elements in the set {msenmld, msentcsec} and
A[I], B[I] are elements in the set {mintbiba}
then comparison of the ml_level fields, the ml_catcount fields,
and the first ml_catcount elements of the ml_list fields is
required, and comparison of the ml_grade fields, the ml_divcount
fields, and the last ml_divcount elements of the ml_list fields is
required.
MSEN label type Comparison
If A[S] is msenadmin then
is msenadmin or msenequal then A[S] is equal to
B[S]
If B[S]
is msenhigh or msenmldhigh then A[S] is dominated
by B[S]
If B[S]
is msenlow or msenmldlow then A[S] dominates B[S]
If B[S]
is msenmld or msentcsec then A[S] and B[S] are
non-comparable
If B[S]
If A[S] is msenequal then
A[S] is equal to B[S]
If A[S] is msenhigh then
is msenequal, msenhigh or msenmldhigh then A[S] is
equal to B[S]
If B[S]
is msenadmin, msenlow, msenmldlow, msenmld or
msentcsec then A[S] dominates B[S]
If B[S]
If A[S] is msenmldhigh then
is msenequal, msenhigh or msenmldhigh then A[S] is
equal to B[S]
If B[S]
is msenadmin, msenlow, msenmldlow, msenmld or
msentcsec then A[S] dominates B[S]
If B[S]
If A[S] is msenlow then
is msenequal, msenlow or msenmldlow then A[S] is
equal to B[S]
If B[S]
is msenadmin, msenhigh, msenmldhigh, msenmldor
msentcsec then A[S] is dominated by B[S]
If B[S]
If A[S] is msenmldlow then
is msenequal, msenlow or msenmldlow then A[S] is
equal to B[S]
If B[S]
Page 4
DOMINANCE(5)DOMINANCE(5)
is msenadmin, msenhigh, msenmldhigh, msenmld or
msentcsec then A[S] is dominated by B[S]
If B[S]
If A[S] is msenmld then
is msenequal then A[S] is equal to B[S]
If B[S]
is msenlow or msenmldlow then A[S] dominates B[S]
If B[S]
is msenhigh or msenmldhigh then A[S] is dominated
by B[S]
If B[S]
is msenadmin then A[S] and are non-comparable
If B[S]
is msenmld or msentcsec then the level and
category set component fields of A[S] and B[S]
must be compared
If B[S]
If A[S] is msentcsec then
is msenequal then A[S] is equal to B[S]
If B[S]
is msenlow or msenmldlow then A[S] dominates B[S]
If B[S]
is msenhigh or msenmldhigh then A[S] is dominated
by B[S]
If B[S]
is msenadmin then A[S] and are non-comparable
If B[S]
is msenmld or msentcsec then the level and
category set component fields of A[S] and B[S]
must be compared
If B[S]
MINT label type Comparison
If A[I] is mintequal then
is equal to B[I]
A[I]
If A[I] is minthigh then
is mintequal or minthigh then A[I] is equal to
B[I]
If B[I]
is mintlow or mintbiba then A[I] is dominated by
B[I]
If B[I]
If A[I] is mintlow then
is mintequal or mintlow then A[I] is equal to B[I]
If B[I]
is minthigh or minbiba then A[I] dominates B[I]
If B[I]
If A[I] is mintbiba then
is msenequal then A[I] is equal to B[I]
If B[I]
is minthigh then A[I] dominates B[I]
If B[I]
is mintlow then A[I] is dominated by B[I]
If B[I]
is mintbiba then the grade and division set
component fields of A[I] and B[I] must be compared
If B[I]
The rules for the MSEN and MINT label type dominance relationship are
defined as follows:
Page 5
DOMINANCE(5)DOMINANCE(5)
For MSEN label type dominance:
msenadmin is defined to dominate msenadmin, msenequal, msenlow, and
msenmldlow.
msenequal is defined to dominate all other MSEN label types.
msenhigh is defined to dominate all other MSEN label types.
msenmldhigh is defined to dominate all other MSEN label types.
msenlow is defined to dominate msenequal, msenlow and msenmldlow.
msenmldlow is defined to dominate msenequal, msenlow and msenmldlow.
msenmld is defined to dominate msenequal, msenlow and msenmldlow.
In addition, msenmld is defined to dominate msenmld and msentcsec if
level of A[S] is greater than or equal to level of B[S] and category
set of A[S] is a superset of category set of B[S].
msentcsec is defined to dominate msenqual, msenlow and msenmldlow.
In addition, msentcsec is defined to dominate msenmld and msentcsec
if level of A[S] is greater than or equal to level of B[S] and
category set of A[S] is a superset of category set of B[S].
For MINT label type dominance:
mintequal is defined to dominate all other MINT label types.
mintlow is defined to dominate all other MINT label types.
minthigh is defined to dominate mintequal and minthigh.
mintbiba is defined to dominate mintequal and minthigh. In
addition, mintbiba is defined to dominate mintbiba if grade of A[I]
is less than or equal to grade of B[I] and division set of A[I] is a
subset of division set of B[I].
The rules for the MSEN and MINT label type equality relationship are
defined as follows:
For MSEN label type equality:
msenadmin is defined to equal msenadmin and msenequal.
msenequal is defined to equal all other MSEN label types.
msenhigh is defined to equal msenequal, msenhigh and msenmldhigh.
msenmldhigh is defined to equal msenequal, msenhigh and msenmldhigh.
msenlow is defined to equal msenequal, msenlow and msenmldlow.
msenmldlow is defined to equal msenequal, msenlow and msenmldlow.
msenmld is defined to equal msenequal. In addition, msenmld is
defined to equal msenmld and msentcsec if level of A[S] is equal to
level of B[S] and category set of A[S] is equal to category set of
B[S].
msentcsec is defined to equal msenqual. In addition, msentcsec is
defined to equal msenmld and msentcsec if level of A[S] is equal to
level of B[S] and category set of A[S] is equal to category set of
B[S].
For MINT label type equality:
mintequal is defined to equal all other MINT label types.
minthigh is defined to equal mintequal and minthigh.
mintlow is defined to equal mintequal and mintlow.
mintbiba is defined to equal mintequal. In addition, mintbiba is
defined to equal mintbiba if grade of lp1 is equal to grade of lp2
Page 6
DOMINANCE(5)DOMINANCE(5)
and division set of lp1 is equal to division set of lp2.
Any pair of MSEN label types or MINT label types not explicitly
referenced above are considered to be non-comparable, and thus the MAC
labels comprised of them are also non-comparable.
TABLE 1: MSEN Label Type Relationships
______________________________________
A E H I L N M T
______________________________________
A = = < < > > NC NC
______________________________________
E = = = = = = = =
______________________________________
H > = = = > > > >
______________________________________
I > = = = > > > >
______________________________________
L < = < < = = < <
______________________________________
N < = < < = = < <
______________________________________
M NC = < < > > * *
______________________________________
T NC = < < > > * *
______________________________________
|
||
|
|
|
|
|
|
|
|
TABLE 2: MINT Label Type Relationships
___________________
e h l b
___________________
e = = = =
___________________
h = = < <
___________________
l = > = >
___________________
b = > < *
___________________
|
||
|
|
|
|
FILES
/etc/mac
SEE ALSOmac_dominate(3c)mac_equal(3c)mac_to_text(3c)mac_from_text(3c)
Page 7
