DOMINANCE(5) DOMINANCE(5) NAME dominance - MAC label comparison policy SYNOPSIS #include <sys/mac_label.h> DESCRIPTION On systems with mandatory access control (MAC) enabled, the set of all possible Mandatory Access Control (MAC) labels constitutes a lattice, where a lattice is defined to be a partially ordered set for which there exists, for every pair of elements in the set, a greatest lower bound (GLB) and a least upper bound (LUB). A partial ordering over a set is defined by a relation that has the following three properties: reflexive, antisymmetric, transitive. The reflexive property states that every element in the set is "related" to itself. The antisymmetric property states that given two elements in the set, if the first element is "related" to the second element, and the second element is "related" to the first element, then the two elements are necessarily equal. The transitive property states that given three elements in the set, if the first element is "related" to the second element, and the second element is "related" to the third element, then the first element is also "related" to the third element. A simple example of this is the improper subset relation: Given a set A, A is an improper subset of A Reflexive: Given two sets A and B, if A is an improper subset of B and B is an improper subset of A, then A and B are equal (i.e., the same set). Antisymmetric: Given three sets A, B, and C, if A is an improper subset of B and B is an improper subset of C, then A is an improper subset of C. Transitive: dominance represents the relation providing the partial ordering over the lattice formed by the set of all possible MAC labels. Hence, the dominance relation upholds the three properties described above over the set of all possible MAC labels. A MAC label is defined as follows: structure mac_label{ unsigned char ml_msen_type; unsigned char ml_mint_type; unsigned char ml_level; unsigned char ml_grade; unsigned short ml_catcount; unsigned short ml_divcount; unsigned short ml_list[MAC_MAX_SETS]; } A MAC label comprises both a Mandatory Sensitivity (MSEN) label portion and a Mandatory Integrity (MINT) label portion. With respect to the above definition of MAC label; the MSEN label portion includes 1) ml_msen_type, 2) ml_level, 3) ml_catcount, and 4) the first ml_catcount elements in ml_list[MAC_MAX_SETS], while the MINT label portion includes 1) ml_mint_type, 2) ml_grade, 3) ml_divcount, and 4) the last ml_divcount elements in ml_list[MAC_MAX_SETS]. The determination of whether one MAC label dominates another MAC label depends at the highest level simply upon whether the MSEN label portions compare as required and whether the MINT label portions compare as required. By definition, for any two MAC labels A and B, A dominates B if and only if the MSEN label portion of A dominates the MSEN label portion of B and the MINT label portion of A is dominated by the MINT label portion of B. However, comparison of MSEN label portions and MINT label portions is more complicated, and may take one of two different paths. Specifically, given two MAC labels A and B: the ml_msen_types are read and based on their values either an MSEN dominance determination is made or it is determined that comparison of ml_levels, ml_catcount, and ml_lists is required; the ml_mint_types are read and based on their values either a MINT dominance determination is made or it is determined that comparison of ml_grades, ml_divcount, and ml_lists is required. Specifically, a MAC label includes an MSEN label type as part of the MSEN label portion and a MINT label type as part of the MINT label portion. The predefined set of valid system MSEN label type values is: msenadmin, msenequal, msenhigh, msenmldhigh, msenlow, msenmldlow, msenmld, and msentcsec. The predefined set of valid system MINT label type values is: mintequal, minthigh, mintlow and mintbiba. Each of the MSEN label type set and the MINT label type set constitute a lattice, in that there exists a fully defined comparison relation between each pair of MSEN label types and each pair of MINT label types, i.e. either they are equal, one dominates the other, they are non-comparable, or further comparison of the other relevant component fields is required. In particular, for all MAC labels containing the following MSEN label types, msenadmin, msenequal, msenhigh, msenmldhigh, msenlow and msenmldlow, the comparison relation between the MSEN label portions of two MAC labels is entirely dependent upon only the MSEN label types. In addition, for all MAC labels containing the following MINT label types, mintequal, minthigh and mintlow, the comparison relation between the MINT label portions of two MAC labels is entirely dependent upon only the MINT label types. In other words, given two MAC labels A and B, where either comprises one of the MSEN label types and one of the MINT label types referenced above, the comparison relation between the two labels is fully defined. Additionally, in the case where a MAC label contains an MSEN label type of msenmld or msentcsec there must be included the level and the (possibly empty) category set component fields as part of the MSEN label portion. Analogously, in the case where a MAC label contains a MINT label type of mintbiba there must be included the grade and (possibly empty) division set component fields as part of the MINT label portion. Then given two MAC labels A and B, there are three possible situations that result: 1.) Both MAC labels comprise one of the MSEN label types msenmld or msentcsec and the MINT label type mintbiba. 2.) Both MAC labels comprise one of the MSEN label types msenmld or msentcsec along with comparable MINT label types (not mintbiba), 3.) Both MAC labels comprise the MINT label type mintbiba along with comparable MSEN label types (not msenmld or msentcsec). In all three situations, the comparison relation between the two MAC labels is dependent upon actual comparison of the level, category set, grade, and division set component fields. Given MAC labels A and B: A[S] and B[S] represent the MSEN label portions of A and B respectively A[I] and B[I] represent the MINT label portions of A and B respectively So that: If A[S] is an element in the set {msenadmin, msenequal, msenhigh, msenmldhigh, msenlow, msenmldlow} and A[I] is an element in the set {mintequal, minthigh, mintlow} or B[S] is an element in the set {msenadmin, msenequal, msenhigh, msenmldhigh, msenlow, msenmldlow} and B[I] is an element in the set {mintbiba, minthigh, mintlow} then a dominance determination is possible based solely on the MSEN and MINT label types. If A[S], B[S] are elements in the set {msenmld, msentcsec} then comparison of the ml_level fields, the ml_catcount fields, and the first ml_catcount elements of the ml_list fields is required. If A[I], B[I] are elements in the set {mintbiba} then comparison of the ml_grade fields, the ml_divcount fields, and the last ml_divcount elements of the ml_list fields is required. And If A[S], B[S] are elements in the set {msenmld, msentcsec} and A[I], B[I] are elements in the set {mintbiba} then comparison of the ml_level fields, the ml_catcount fields, and the first ml_catcount elements of the ml_list fields is required, and comparison of the ml_grade fields, the ml_divcount fields, and the last ml_divcount elements of the ml_list fields is required. MSEN label type Comparison If A[S] is msenadmin then is msenadmin or msenequal then A[S] is equal to B[S] IfB[S] is msenhigh or msenmldhigh then A[S] is dominated by B[S] IfB[S] is msenlow or msenmldlow then A[S] dominates B[S] IfB[S] is msenmld or msentcsec then A[S] and B[S] are non-comparable IfB[S] If A[S] is msenequal then A[S] is equal to B[S] If A[S] is msenhigh then is msenequal, msenhigh or msenmldhigh then A[S] is equal to B[S] IfB[S] is msenadmin, msenlow, msenmldlow, msenmld or msentcsec then A[S] dominates B[S] IfB[S] If A[S] is msenmldhigh then is msenequal, msenhigh or msenmldhigh then A[S] is equal to B[S] IfB[S] is msenadmin, msenlow, msenmldlow, msenmld or msentcsec then A[S] dominates B[S] IfB[S] If A[S] is msenlow then is msenequal, msenlow or msenmldlow then A[S] is equal to B[S] IfB[S] is msenadmin, msenhigh, msenmldhigh, msenmldor msentcsec then A[S] is dominated by B[S] IfB[S] If A[S] is msenmldlow then is msenequal, msenlow or msenmldlow then A[S] is equal to B[S] IfB[S] is msenadmin, msenhigh, msenmldhigh, msenmld or msentcsec then A[S] is dominated by B[S] IfB[S] If A[S] is msenmld then is msenequal then A[S] is equal to B[S] IfB[S] is msenlow or msenmldlow then A[S] dominates B[S] IfB[S] is msenhigh or msenmldhigh then A[S] is dominated by B[S] IfB[S] is msenadmin then A[S] and are non-comparable IfB[S] is msenmld or msentcsec then the level and category set component fields of A[S] and B[S] must be compared IfB[S] If A[S] is msentcsec then is msenequal then A[S] is equal to B[S] IfB[S] is msenlow or msenmldlow then A[S] dominates B[S] IfB[S] is msenhigh or msenmldhigh then A[S] is dominated by B[S] IfB[S] is msenadmin then A[S] and are non-comparable IfB[S] is msenmld or msentcsec then the level and category set component fields of A[S] and B[S] must be compared IfB[S] MINT label type Comparison If A[I] is mintequal then is equal to B[I] A[I] If A[I] is minthigh then is mintequal or minthigh then A[I] is equal to B[I] IfB[I] is mintlow or mintbiba then A[I] is dominated by B[I] IfB[I] If A[I] is mintlow then is mintequal or mintlow then A[I] is equal to B[I] IfB[I] is minthigh or minbiba then A[I] dominates B[I] IfB[I] If A[I] is mintbiba then is msenequal then A[I] is equal to B[I] IfB[I] is minthigh then A[I] dominates B[I] IfB[I] is mintlow then A[I] is dominated by B[I] IfB[I] is mintbiba then the grade and division set component fields of A[I] and B[I] must be compared IfB[I] The rules for the MSEN and MINT label type dominance relationship are defined as follows: For MSEN label type dominance: msenadmin is defined to dominate msenadmin, msenequal, msenlow, and msenmldlow. msenequal is defined to dominate all other MSEN label types. msenhigh is defined to dominate all other MSEN label types. msenmldhigh is defined to dominate all other MSEN label types. msenlow is defined to dominate msenequal, msenlow and msenmldlow. msenmldlow is defined to dominate msenequal, msenlow and msenmldlow. msenmld is defined to dominate msenequal, msenlow and msenmldlow. In addition, msenmld is defined to dominate msenmld and msentcsec if level of A[S] is greater than or equal to level of B[S] and category set of A[S] is a superset of category set of B[S]. msentcsec is defined to dominate msenqual, msenlow and msenmldlow. In addition, msentcsec is defined to dominate msenmld and msentcsec if level of A[S] is greater than or equal to level of B[S] and category set of A[S] is a superset of category set of B[S]. For MINT label type dominance: mintequal is defined to dominate all other MINT label types. mintlow is defined to dominate all other MINT label types. minthigh is defined to dominate mintequal and minthigh. mintbiba is defined to dominate mintequal and minthigh. In addition, mintbiba is defined to dominate mintbiba if grade of A[I] is less than or equal to grade of B[I] and division set of A[I] is a subset of division set of B[I]. The rules for the MSEN and MINT label type equality relationship are defined as follows: For MSEN label type equality: msenadmin is defined to equal msenadmin and msenequal. msenequal is defined to equal all other MSEN label types. msenhigh is defined to equal msenequal, msenhigh and msenmldhigh. msenmldhigh is defined to equal msenequal, msenhigh and msenmldhigh. msenlow is defined to equal msenequal, msenlow and msenmldlow. msenmldlow is defined to equal msenequal, msenlow and msenmldlow. msenmld is defined to equal msenequal. In addition, msenmld is defined to equal msenmld and msentcsec if level of A[S] is equal to level of B[S] and category set of A[S] is equal to category set of B[S]. msentcsec is defined to equal msenqual. In addition, msentcsec is defined to equal msenmld and msentcsec if level of A[S] is equal to level of B[S] and category set of A[S] is equal to category set of B[S]. For MINT label type equality: mintequal is defined to equal all other MINT label types. minthigh is defined to equal mintequal and minthigh. mintlow is defined to equal mintequal and mintlow. mintbiba is defined to equal mintequal. In addition, mintbiba is defined to equal mintbiba if grade of lp1 is equal to grade of lp2 and division set of lp1 is equal to division set of lp2. Any pair of MSEN label types or MINT label types not explicitly referenced above are considered to be non-comparable, and thus the MAC labels comprised of them are also non-comparable. TABLE 1: MSEN Label Type Relationships ______________________________________ A E H I L N M T ______________________________________ A = = < < > > NC NC ______________________________________ E = = = = = = = = ______________________________________ H > = = = > > > > ______________________________________ I > = = = > > > > ______________________________________ L < = < < = = < < ______________________________________ N < = < < = = < < ______________________________________ M NC = < < > > * * ______________________________________ T NC = < < > > * * ______________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TABLE 2: MINT Label Type Relationships ___________________ e h l b ___________________ e = = = = ___________________ h = = < < ___________________ l = > = > ___________________ b = > < * ___________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | FILES /etc/mac SEE ALSO mac_dominate(3c) mac_equal(3c) mac_to_text(3c) mac_from_text(3c) Page 7