Mandatory Access Controls

Mandatory Access Controls

Post by Subba Ra » Mon, 14 Jul 2003 08:10:15



Hello,

I have a very basic question regarding mandatory access
controls(MACs).

Using the following diagram:

-------------------------------         ------------------------------
|    Subject              |        |     Object               |
-------------------------------        -------------------------------
|    Clearance          |        |    Classification     |
|  Ex - Top Secret   |        |  Ex - Top Secret   |
|                              |        |                             |
-------------------------------         -----------------------------

In the MAC model the "need-to-know" flag, restricts the subject
to access the object.  Is this flag, part of the subject's attributes
or the object's attributes?

Thank you in advance.

--
Subba Rao

-------------------------------------------------------------------------
Old American Wild West saying:
        God created men but Colt made them equal.
Today:
        Linus created Linux and Linux made IT companies equal.

 
 
 

Mandatory Access Controls

Post by Christopher Brown » Tue, 15 Jul 2003 06:23:26



> Hello,

> I have a very basic question regarding mandatory access
> controls(MACs).

> Using the following diagram:

> -------------------------------         ------------------------------
> |    Subject              |        |     Object               |
> -------------------------------        -------------------------------
> |    Clearance          |        |    Classification     |
> |  Ex - Top Secret   |        |  Ex - Top Secret   |
> |                              |        |                             |
> -------------------------------         -----------------------------

> In the MAC model the "need-to-know" flag, restricts the subject
> to access the object.  Is this flag, part of the subject's attributes
> or the object's attributes?

> Thank you in advance.

Do you consider the subject to be part of the object?  Or not?

If the subject is part of the object, then the control affects the
whole object, and the question is irrelevant.

On the other hand, if the subject is _not_ part of the object, then
what you have is _two_ objects, each of which would have to have
access controls in a MAC system.  In that case, there would be two
object, and there would presumably be two flags, one for each object.
--

http://www.ntlug.org/~cbbrowne/security.html
"Open  Software and  freeing source  code isn't  socialism.   It isn't
socialist.  It's neither socialist nor capitalist; it just is."


 
 
 

Mandatory Access Controls

Post by Fritz » Wed, 16 Jul 2003 01:00:04



> In the MAC model the "need-to-know" flag, restricts the subject
> to access the object.  Is this flag, part of the subject's attributes
> or the object's attributes?

"need-to-know" flag?   Are you talking about an MLS OS, or some other OS
that uses MAC?

In MLS operating systems, every object is, by definition, accessed on a
"need to know" basis, so there's no need for a special flag to indicate
such.

RFM
--
To reply, translate domain from l33+ 2p33|< to alpha.
                4=a  0=o  3=e  +=t