Module name: mac_mls.ko
Kernel configuration line: options MAC_MLS
Boot option: mac_mls_load="YES"
The mac_mls(4) policy
controls access between subjects and objects in the system by enforcing a strict
information flow policy.
In MLS environments, a “clearance”
level is set in each subject or objects label, along with compartments. Since these
clearance or sensibility levels can reach numbers greater than six thousand; it would be
a daunting task for any system administrator to thoroughly configure each subject or
object. Thankfully, three “instant” labels are already included in this
policy.
These labels are mls/low, mls/equal
and mls/high. Since these labels are described in depth in the
manual page, they will only get a brief description here:
-
The mls/low label contains a low configuration which permits
it to be dominated by all other objects. Anything labeled with mls/low will have a low clearance level and not be permitted to
access information of a higher level. In addition, this label will prevent objects of a
higher clearance level from writing or passing information on to them.
-
The mls/equal label should be placed on objects considered to
be exempt from the policy.
-
The mls/high label is the highest level of clearance
possible. Objects assigned this label will hold dominance over all other objects in the
system; however, they will not permit the leaking of information to objects of a lower
class.
MLS provides for:
-
A hierarchical security level with a set of non hierarchical categories;
-
Fixed rules: no read up, no write down (a subject can have read access to objects on
its own level or below, but not above. Similarly, a subject can have write access to
objects on its own level or above but not beneath.);
-
Secrecy (preventing inappropriate disclosure of data);
-
Basis for the design of systems that concurrently handle data at multiple sensitivity
levels (without leaking information between secret and confidential).
The following sysctl tunables are available for the
configuration of special services and interfaces:
-
security.mac.mls.enabled is used to enable/disable the
MLS policy.
-
security.mac.mls.ptys_equal will label all pty(4) devices as mls/equal during creation.
-
security.mac.mls.revocation_enabled is used to revoke access
to objects after their label changes to a label of a lower grade.
-
security.mac.mls.max_compartments is used to set the maximum
number of compartment levels with objects; basically the maximum compartment number
allowed on a system.
To manipulate the MLS labels, the setfmac(8) command has
been provided. To assign a label to an object, issue the following command:
# setfmac mls/5 test
To get the MLS label for the file test issue the following command:
# getfmac test
This is a summary of the MLS policy's features.
Another approach is to create a master policy file in /etc
which specifies the MLS policy information and to feed
that file into the setfmac command. This method will be
explained after all policies are covered.
With the Multi-Level Security Policy Module, an administrator plans for controlling
the flow of sensitive information. By default, with its block read up block write down
nature, the system defaults everything to a low state. Everything is accessible and an
administrator slowly changes this during the configuration stage; augmenting the
confidentiality of the information.
Beyond the three basic label options above, an administrator may group users and
groups as required to block the information flow between them. It might be easier to look
at the information in clearance levels familiarized with words, for instance
classifications such as Confidential, Secret, and Top Secret. Some administrators
might just create different groups based on project levels. Regardless of classification
method, a well thought out plan must exist before implementing such a restrictive
policy.
Some example situations for this security policy module could be an e-commerce web
server, a file server holding critical company information, and financial institution
environments. The most unlikely place would be a personal workstation with only two or
three users.