[redhat-lspp] Write up restrictions

Chad Hanson chanson at TrustedCS.com
Wed Jun 29 13:33:08 UTC 2005 

> 
> I was looking through the mls constraints and notice a common theme of
> 
> ( t1 == mlsfilewritetoclr ) and ( h1 dom l2 )
> 
> to restrict write ups. I would like to advise against this type of
> restriction. It is not required and has its roots in misguided attempts to
> use MLS as a means to provide integrity (as opposed to confidentiality).
In
> the case of SELinux, we have TE for integrity and so we should avoid
> techniques like using categories and levels as integrity mechanisms.
> 

We are using the process clearance to limit the write-up ability of the
process. This leads to a bounded write instead of unbounded write-up. This
is just a slight enhancement to make the MLS policy stronger. TE provides
integrity as you state. However, there are still cases where this MLS
restriction can be useful. One example could files of same type, like home
directories, in which we can't use the TE to help enforce the integrity, but
we can use the MLS restriction to limit the write up. 


> On the other hand write ups are extremely valuable if we ever start
writing
> true MLS-aware, untrusted applications as we need to do in order to
achieve
> higher assurance. For MLS-aware, untrusted apps we need to use one-way
> protocols and write ups (and read down) provides the ability for these
> coordination. Treating write up as a privilege is the same as treating
read
> down a privilege (or should be).
> 

Write ups are valuable and that is why is can be allowed with a simple
attribute to process. MLS has shortcomings and that is why TE can greatly
increase the overall security of the system. Is it not fair to try to
increase the security of the MLS model when possible? A defense in depth
approach would agree that a strong MLS and TE model lead to the strongest
system.

> I could live with the mlsfilewritetoclr attribute if we gave it to all
> domains (though again it perpetuates the confusion over 
> confidentiality vs. integrity), but the h1 dom l2 constrain is too
restrictive. 
> We want our low level applications to be able to enqueue data or send 
> messages to system high processes.  Frank
> 

This mechanism isn't disallowing this. This is just adding a restriction
making sure the clearance of the process is system high to have write
access. This is similar to the fact you would want to make sure the type of
the process has access, why can't we also make sure the MLS label has access
as well. This would mean you would have to misconfigure TE and MLS to have
undesired access instead of just one.

-Chad

More information about the redhat-lspp mailing list