Part one of this article series, which focused on role-based access control (RBAC), discussed how the roles, responsibilities, and authorization of the root user were delegated to more than one user. The article also covered how an authorized user is allowed to execute the authorized commands or files or devices.
RBAC is focused more on a user's perspective. Multi-level security (MLS) is focused on the system perspective, where all the components, data, and devices, are classified into different security levels. Access is based on the sensitivity and integrity of the information.
Using examples, this article explains how the system plays an important role in providing multiple levels of security.
Multi-level security is about classifying the information at various security levels and deciding the access policy according to their levels.
Traditionally, Discretionary Access Control (DAC) is controlled by the user. MLS has the following additional layers enforced by the system:
- Mandatory Access Control (MAC)
- Mandatory Integrity Control (MIC)
These three access control layers -- DAC, MAC, and MIC -- can be viewed as shown in Figure 1 below.
Figure 1. Three levels of access control
Mandatory Access Control (MAC)
MAC is controlled by the system. It is based on the sensitivity of the information an objects holds and the sensitivity clearance of the subject.
- Object: Files, Directories
- Subject: Process which access the files (information).
Table 1. MAC rule
| PROCESS (Subject) | FILE (Object) | |
|---|---|---|
| READ | TOP SECRET | SECRET |
| WRITE | SECRET | SECRET |
Assume that a file is classified as SECRET, then the process classified as SECRET can WRITE into the file and the process classified as TOP SECRET can READ into the file.
The MAC rule shows that the component with higher sensitivity has read access over other components. Components that are in the same level have the write acess
MAC is represented in the system as Sensitivity Label (SL).
Mandatory Integrity Control (MIC)
MIC provides access control based on the integrity of the subject and object. Integrity is the measure of trustworthiness of the subject and object.
- If the process is not trustworthy, it should not be allowed to modify any information in the system.
- If the information is not trustworthy, the process should not be allowed to read that information.
MIC is represented in the system as Integrity Labels (TL).
The following example provides a better understanding of the Integrity label.
| Subject View | SUBJECT | OBJECT | Object View |
|---|---|---|---|
| READ and WRITE | Manager | Manager | READ and WRITE |
| WRITE | Manager | employee | NO READ |
| NO WRITE | employee | Manager | READ |
| READ and WRITE | employee | employee | READ and WRITE |
- Managers can share information each other at their level. Similarly, the employees can also (READ and WRITE).
- Managers can pass orders to employees, but the employees cannot read the (confidential) information of the manager.
- Managers can get information from employees, but the employees cannot order the Major.
Remember that both MIC and MAC comes above the DAC. Hence, even if MIC and MAC access details are satisfied, you need to have the required DAC permission.
The following tables show that both subject and object need to be at the same level to share (Read and Write) the information.These examples show how access restriction can be imposed in addition to the user-based access restriction and through labelling on system components like data, commands, and devices.
| Name | Integrity Labels | Comments | |
|---|---|---|---|
| Process | Shell | SECRET | Process CANNOT write into the file that is in high-security level |
| File | /etc/security/paswd | TOP SECRET | - |
| Name | Sensitivity Labels | Comments | |
|---|---|---|---|
| Process | Shell | SECRET |
|
| File | /etc/hosts | IMPLEMENTATION LOW | - |
From both MIC and MAC, you can derive the following access rule:
- For both process and file to have both read and write permissions, both have to be classified in the same level.
- For process to have read and execute permissions, it should be classified a level above the file.
You will see in details about both Sensitivity Label (SL) and Integrity Label (TL) later. Next the article discusses the system security configurational setting details, which explain how the labels can be enabled or disabled.
From AIX V6 onwards, you can configure the system to run in either operational mode or configurational mode.
Commands used in configuring the system
| Command | Comments |
|---|---|
| getrunmode | System is currently in OPERATIONAL MODE (default output) |
| setrunmode -c | System is prompted to set in configurational mode. Set to this mode when you want to modify the label settings. |
| setrunmode -o | System is prompted to set in operational mode. |
The following example shows that the system is configured for both MAC and MIC as the SL / TL enforcement are enabled.
$ getsecconf OPERATIONAL MODE Security Flags TRUSTED NETWORK : DISABLED SL ENFORCEMENT : ENABLED TL WRITE ENFORCEMENT : ENABLED TL READ ENFORCEMENT : ENABLED TLIB : DISABLED ROOT : DISABLED |
The setsecconf command can be used to enable and disable the labels as per your requirement. In this example output, you can see that SL enforcement is disabled, which means that the system has been configured to use Integrity labels for access permissions.
$ setsecconf -o sl=disable OPERATIONAL MODE Security Flags TRUSTED NETWORK : DISABLED SL ENFORCEMENT : DISABLED TL WRITE ENFORCEMENT : ENABLED TL READ ENFORCEMENT : ENABLED TLIB : DISABLED ROOT : DISABLED |
System labels can be understood from the following command.
$ getsyslab System Minimum Sensitivity Label: IMPLEMENTATION LOW System Maximum Sensitivity Label: TOP SECRET ALL System Minimum Integrity Label : TL IMPLEMENTATION LOW System Maximum Integrity Label : TL TOP SECRET |
Note: Label definition like IMPLEMENTATION LOW,TOP SECRET and more are all system-defined labels used to classify the files, process, devices and more.
As you have seen previously, the enforcement of MAC is implemented through Sensitivity Labels (SL) and MIC through Integrity Labels (TL).
SL has two parts:
- Classification: Indicates the level of security
- Compartments: Grouping under a classification
Following are the system-defined SL classifications:
- TOP SECRET
- SECRET
- CONFIDENTIAL
- IMPLEMENTATION LOW
A compartment is just a string representing different department or groups within the classification. It does not have any hierarchical order but can be used to impose constraints on the flow of information along with the classification. It is used to understand the relationship between lables, as shown in the table below. This relationship controls the access to the files.
Sensitivity label relationship
| Relationship | Classification | Compartment |
|---|---|---|
| Dominance | SL>=SL2 | SL1 compartments superset of SL2 |
| Equal | SL1=SL2 | SL1, SL2 compartments are the same |
| disjoint | NA | No match in compartment |
Integrity Labels control the integrity of the information and the trustworthiness of the process accessing the information.
Unlike SL, TL has only classification and no compartments. System-defined Integrity Labels classifications are:
- TOP SECRET
- SECRET
- CONFIDENTIAL
- IMPLEMENTATION LOW
Labels are used to classify the system components like files, commands, devices and more. Labels are used to impose the access restrictions as shown below.
Command details used under Label Environment
| Command | Output | Comments |
|---|---|---|
| lstxattr -f /etc/security/passwd | /etc/security/passwd sl=IMPLEMENTATION LOW tl=TL TOP SECRET secflags= | Lists the labels defined for the file /etc/security/passwd. Integrity label is classified as TOP SECRET saying that the process who wants to write to this file should be classified as TOP SECRET. Anything less will not have access. |
| lstxattr -p $$ | effsl=IMPLEMENTATION LOW maxcl=TOP SECRET ALL mincl=IMPLEMENTATION LOW efftl=TL IMPLEMENTATION LOW maxtl=TL TOP SECRET mintl=TL IMPLEMENTATION LOW | Lists the labels defined for the current shell process. Sensitivity and the integrity label ranges are shown as maxcl, mincl, and maxtl, mintl, respectively. Both the SL and TL have the effective label as IMPLEMENTATION LOW. This means that this process can read and write to the file which is of the same classification. Anything higher than this will not be accessed. |
| settxattr -f sl="SECRET" /etc/security/passwd | - | This sets the sensitive label of the passwd file to SECRET classification. |
| settxattr -p efftl="TL SECRET" $$ | - | This sets the effective Integrity label to SECRET classification for the current shell. |
- For process, effective labels are considered. Based on the range that has been defined, the effective label is been set for the system to provide access permissions. This gives you the option to set the effective label during login time as well within the given range.
- Files (data) do not have the effective labels. By default files are created with the classification similar to the shell process classification.
Example 4. Defining security labels to the shell during login
login: isso -e SECRET -t "TL IMPLEMENTATION LOW" isso's Password: $ lstxattr -p $$ 540862 effsl=SECRET maxcl=TOP SECRET ALL mincl=IMPLEMENTATION LOW efftl=TL IMPLEMENTATION LOW maxtl=TL TOP SECRET mintl=TL IMPLEMENTATION LOW |
This example shows how the effective SL and TL can be set for the shell process during login.
Be cautious not to set a high level of Integrity labels to the process since it prevents some of the commands to be executed, which are classified to be at low level.
If a file is not trustworthy, the process is denied READ access to the file if the process is classified as high.
| File | SL | TL | Command | DAC |
|---|---|---|---|---|
| /tmp/hello.txt | IMPLEMENTATION LOW | IMPLEMENTATION LOW | lstxattr -f /tmp/hello.txt | rwxrwxrwx |
| Process | SL | Command | TL | Command | DAC | Comments |
|---|---|---|---|---|---|---|
| $$ | IMPLEMENTATION LOW | lstxattr -f /tmp/hello.txt | TOP SECRET | settxattr -p efftl=TL TOP SECRET $$ | rwxrwxrwx | This will not allow the process to execute the vi command itself. |
Ensure that SL, TL Read, and TL Write are enabled using the getsecconf command .
If a process is not trustworthy, the process is denied WRITE access to the file if the file is classified as high.
| Process | SL | TL | Command | DAC |
|---|---|---|---|---|
| $$ | IMPLEMENTATION LOW | IMPLEMENTATION LOW | lstxattr -p $$ | rwxrwxrwx |
| File | SL | Command | TL | Command | DAC | Comments |
|---|---|---|---|---|---|---|
| /tmp/hello.txt | IMPLEMENTATION LOW | lstxattr -f /tmp/hello.txt | TOP SECRET | settxattr -f tl=TL TOP SECRET /tmp/hello.txt | rwxrwxrwx | If the file Integrity level is high, then the process will be denied write access. |
- File is not trustworthy: High-level process is denied read access.
- Process is not trustworthy: Low-level process is denied write access.
The following table helps you inderstand the access permission and information flow for different scenarios,combining both sensitivity and Integrity labels.
| User | File Label | Process Label | DAC | Command | Comments |
|---|---|---|---|---|---|
| isso |
|
| rw-r-r- |
|
|
| isso |
|
| rw-r-r- |
|
|
| isso |
|
| rw-r-r- |
|
|
| isso |
|
| rw-r-r- |
|
|
Labels introduce additional layers of security at the system level. This takes higher precedence over the traditional DAC. Keep the following rules of thumb in MLS as a reference.
- Access permission Thumb Rule
- Hierarchy of Access permissions
Access permission Thumb Rule
- To read, process SL must dominate file SL
- To write, process SL must equal file SL
- To execute, process SL must dominate file SL (same as for read access)
- No access allowed for disjoint SL
- Same rule applicable for TL
Hierarchy of Access permissions
- Integrity check based on Integrity labels
- Sensitivity verification based on the Sensitivity Label
- DAC permissions
In addition to this, RBAC-based authorizations and privileges are also used to enhance the security. As a system administrator or a developer, you must understand your requirement and configure your system accordingly.
As you have seen, this topic is not trivial. Contact your technical support for any further assistance or you can contact me for any further clarification on this topic.
Learn
-
The AIX and UNIX developerWorks zone provides a wealth of information relating to all aspects of AIX systems administration.
-
developerWorks technical events and webcasts: Stay current with developerWorks technical events and webcasts.
-
Podcasts: Tune in and catch up with IBM technical experts.
-
"Documentation: AIX6.1 Information"
-
"Redbook: AIX V6 Advanced Security Features
Introduction and Configuration"
Discuss
-
Participate in the AIX and UNIX forums:
- AIX Forum
- AIX Forum for developers
- Cluster Systems Management
- IBM Support Assistant Forum
- Performance Tools Forum
- Virtualization Forum
- More AIX and UNIX Forums
Rajesh K. Jeyapaul has a Masters degree in Software Systems and Business Administration. He leads an AIX development support team in Bangalore, India, and has authored IBM Redbooks. His area of expertise includes AIX problem determination, High Availability, Virtualization and Performance. You can reach Rajesh at jrkumar@in.ibm.com.
Comments (Undergoing maintenance)
Table of contents
Local resources
My developerWorks community
Tags
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).
My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).
Popular article tags |
My article tagsSkip to tags list
Popular article tags |
My article tags
