From owner-freebsd-hackers@FreeBSD.ORG Sun Aug 21 12:57:44 2005 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6F5A16A41F for ; Sun, 21 Aug 2005 12:57:44 +0000 (GMT) (envelope-from misha@onet.ru) Received: from mail.onet.ru (mail.onet.ru [213.85.10.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCECF43D45 for ; Sun, 21 Aug 2005 12:57:43 +0000 (GMT) (envelope-from misha@onet.ru) Received: from mail.onet.ru (localhost [127.0.0.1]) by mail.onet.ru (Postfix) with ESMTP id 666E045217 for ; Sun, 21 Aug 2005 16:57:41 +0400 (MSD) Received: by mail.onet.ru (Postfix, from userid 1003) id 4311F45211; Sun, 21 Aug 2005 16:57:41 +0400 (MSD) Received: from [213.85.50.124] (pppoe-50-124.onet.ru [213.85.50.124]) by mail.onet.ru (Postfix) with ESMTP id E46C1453F0 for ; Sun, 21 Aug 2005 16:57:30 +0400 (MSD) Message-ID: <43087A39.7000106@onet.ru> Date: Sun, 21 Aug 2005 16:57:29 +0400 From: Michael User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-hackers@freebsd.org X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.onet.ru X-Spam-Level: X-Spam-Status: No, score=-3.5 required=2.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.4 X-AV-Checked: ClamAV using ClamSMT Subject: MAC Biba policy. High marked process can't write to high marked file. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2005 12:57:44 -0000 Hello, hackers. First of all have to apologize for english, sorry. I was playing with Mandatory Access Control, all have been done like it described in handbook: I have added 'insecure' class with "label=partition/13,mls/5,biba/low". Then created 'mactest' user and placed it there. I have turned on multilable support on /usr FS. All MAC policies are loaded at boot time from /boot/loader.conf. But I come into collision with problem. According to man page (mac_biba(4)), no write up and no read down allowed. If object and subject have equal (high and high, or low and low) markers it means "as Biba protections were not in place." Some of my testings goes below, and I have stumbled at writing high->high (it gives me "permission denied"). Low->low works perfect. The question is: what I'm doing wrong? Is it just misunderstanding of handbook or something else? %getfmac test test: biba/high,mls/equal # Make sure, that MLS won't bother us %setfmac biba/low test %setpmac biba/high echo 1 > test # 'high' can write to 'low'... %setpmac biba/high cat test cat: test: Permission denied # ...but can't read (o.k.) %setpmac biba/low cat test # equal levels (low and low) can do everything 1 %setpmac biba/low echo 1 >> test %setpmac biba/low cat test # it either can write to file 1 1 %setfmac biba/high test # set to file 'high' ticket %setpmac biba/high echo 1 >> test # bah! test: Permission denied. %setpmac biba/high ls -lZ test -rw-r--r-- 1 mactest wheel biba/high,mls/equal 4 Aug 21 16:30 test