Re: Security through Permissiveness: A Zen Riddle?

From: Casey Schaufler (caseyat_private)
Date: Mon Jul 16 2001 - 10:33:25 PDT

  • Next message: David Wheeler: "Looking ahead towards audit requirements (CAPP, LSPP)"

    "KRAMER,STEVEN (HP-USA,ex1)" wrote:
    > 
    > Allowing DAC to override MAC in a secure system can occur easily.
    > 
    > Yes, the 2 AC policies are "additional" policies in the POSIX 1e
    > terminology, and the kernel checks both DAC and MAC upon system object
    > access. I don't disagree there.
    > 
    > But where I disagree is that protecting MAC DBs with MAC is all the
    > protection you need.  Where do you store the MAC DB?   It's
    > typically in the filesystem.  Even where you apply a MAC label to a MAC
    > DB, you still run into problem.  If the MAC DB is in /mac/policy/db,
    > and assuming /mac on downward is labeled with a special MAC label,
    > all you need to do is get access to /, which on all systems I've seen is
    > at something akin to "syslo".  DAC access to / allows you to move away
    > the offending /mac dir and substitute it with your own.  If the system
    > checks both "/" and "/mac" and disallows the operation, there's /dev/sd0
    > or perhaps /etc/init or /etc/passwd.  That is, not all system DBs are
    > MAC protected, and through many of them, you can compromise the system
    > and build up access in order to subvert the entire system.
    
    What you have here is a clear case of confusing implementation
    with policy. In our Trix4.0.5 product (evaluated at B1 in 1995)
    we had the MAC labels stored in a file on the file system, as you
    suggest above. The DB file, in fact the directory it was contained
    in, was protected by DAC and MAC: owned by root with a MAC label
    we call dblow, which mundain users are not allowed. The
    implementation allows that user to modify that file.
    
    In Trix6.5, the MAC labels are stored by XFS. The policy is the
    same, the implementation is different. Storing MAC labels in a
    file subject only to file system object protections offers
    only file system object protections. You could say that you have
    identified a flaw (or at least a weakness) in an implementation
    which stores the MAC labels in a file. You have not identified
    a case where DAC can override MAC. 
    
    -- 
    
    Casey Schaufler				Manager, Trust Technology, SGI
    caseyat_private				voice: 650.933.1634
    casey_pat_private			Pager: 888.220.0607
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 10:35:39 PDT