Date: Sun, 21 Aug 2005 16:57:29 +0400 From: Michael <misha@onet.ru> To: freebsd-hackers@freebsd.org Subject: MAC Biba policy. High marked process can't write to high marked file. Message-ID: <43087A39.7000106@onet.ru>
next in thread | raw e-mail | index | archive | help
Hello, hackers. First of all have to apologize for english, sorry. I was playing with Mandatory Access Control, all have been done like it described in handbook: I have added 'insecure' class with "label=partition/13,mls/5,biba/low". Then created 'mactest' user and placed it there. I have turned on multilable support on /usr FS. All MAC policies are loaded at boot time from /boot/loader.conf. But I come into collision with problem. According to man page (mac_biba(4)), no write up and no read down allowed. If object and subject have equal (high and high, or low and low) markers it means "as Biba protections were not in place." Some of my testings goes below, and I have stumbled at writing high->high (it gives me "permission denied"). Low->low works perfect. The question is: what I'm doing wrong? Is it just misunderstanding of handbook or something else? %getfmac test test: biba/high,mls/equal # Make sure, that MLS won't bother us %setfmac biba/low test %setpmac biba/high echo 1 > test # 'high' can write to 'low'... %setpmac biba/high cat test cat: test: Permission denied # ...but can't read (o.k.) %setpmac biba/low cat test # equal levels (low and low) can do everything 1 %setpmac biba/low echo 1 >> test %setpmac biba/low cat test # it either can write to file 1 1 %setfmac biba/high test # set to file 'high' ticket %setpmac biba/high echo 1 >> test # bah! test: Permission denied. %setpmac biba/high ls -lZ test -rw-r--r-- 1 mactest wheel biba/high,mls/equal 4 Aug 21 16:30 test
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43087A39.7000106>