On Thu, 2006-07-06 at 08:10 -0400, Knoke, Jim (US SSA) wrote: > Can anyone explain why MLS systems tend to require objects to dominate > their containing directory? Is it just to simplify covert channel > analysis? Is it just a usability issue in that a user may get confused > if s/he can set a working directory, but then potentially not be able > to > read ".."? >
Say a directory = SECRET. That means the dir file is labeled SECRET. Quite possibly because the filenames are themselves SECRET. To be able to read with no privilege requires dominance. To be able to write w/o privs requires equality. Therefore, the requirement matches the MAC enforcement. > > Are regrades of non-empty directories typically disallowed just > because of the complexity of locking all the contained objects during > the regrade operation? > I believe that is one reason. Quite possibly could break some code if the writer assumed that the directory was always going to allow syslo->syshi files and later someone changed the directory level up. In practice it was seldom done. Usually (but not always) directories are either multilevel (polyinstantiated) or syslo. In cases where they are not either of those they are either well-known and static or else labeled when created. LCB. -- LC Bruzenak [EMAIL PROTECTED] -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
