[redhat-lspp] Write up restrictions
Frank Mayer
mayerf at tresys.com
Mon Jun 27 15:43:07 UTC 2005
I was looking through the mls constraints and notice a common theme of
( t1 == mlsfilewritetoclr ) and ( h1 dom l2 )
to restrict write ups. I would like to advise against this type of
restriction. It is not required and has its roots in misguided attempts to
use MLS as a means to provide integrity (as opposed to confidentiality). In
the case of SELinux, we have TE for integrity and so we should avoid
techniques like using categories and levels as integrity mechanisms.
On the other hand write ups are extremely valuable if we ever start writing
true MLS-aware, untrusted applications as we need to do in order to achieve
higher assurance. For MLS-aware, untrusted apps we need to use one-way
protocols and write ups (and read down) provides the ability for these
coordination. Treating write up as a privilege is the same as treating read
down a privilege (or should be).
I could live with the mlsfilewritetoclr attribute if we gave it to all
domains (though again it perpetuates the confusion over confidentiality vs.
integrity), but the h1 dom l2 constrain is too restrictive. We want our low
level applications to be able to enqueue data or send messages to system
high processes. Frank
More information about the redhat-lspp
mailing list