On Mon, 2009-08-17 at 20:40 -0400, Glenn Faden wrote: > rob myers wrote: > > > > I believe the difference between SELinux with MLS policy and what I am > > trying to build is that I want higher sensitivity levels to dominate > > lower sensitivity levels only on a per category basis. > > > > For example, it is my understanding that under MLS UserB must have > > sensitivity level 3 access to category 3 because UserB has access to > > sensitivity level 3 access to other categories. Another possibility > > under MLS would be to remove UserB's access to category 3 for all > > sensitivities. Neither of these is what I want the system to do. > > > For MLS systems based on the Mitre/DIA label encodings format it is > possible to exclude specific categories on a per sensitivity label basis > from the User Accreditation Range. For an example, see: > > http://docs.sun.com/app/docs/doc/819-0874/sec6-2?a=view > > In your example, you could define specify the valid categories for each > of the four classifications (levels). > > UserA's access matrix: > > category, sl0, sl1, sl2, sl3 > 0, yes, yes, no , no > 1, yes, yes, no , no > 2, yes, yes, yes, no > 3, yes, yes, yes, yes > > > UserB's access matrix: > > category, sl0, sl1, sl2, sl3 > 0, yes, yes, yes, yes > 1, yes, yes, yes, yes > 2, yes, yes, yes, yes > 3, yes, yes, yes, no > > > you could specify > > classification= s10; all compartment combinations valid; > classification= s11; all compartment combinations valid; > classification= s12; all compartment combinations valid except: > c0 > c1 > classification= s13; only valid compartment combinations: > c3 > > > So it is possible to specify a User Accreditation Range conforming to > either the UserA or UserB matrix. However, the format only provides for > a single User Accreditiation Range that would apply to all users. In MLS > systems I'm familiar with, there is no facility to exclude categories > from the kernel dominance checks. Thank you for the useful information. Unfortunately, specifying different accreditation ranges for different users is exactly what I'm trying to achieve. Thanks, rob. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
