Basic MAC constraint

The basic mandatory access control constraint is that untrusted subjects cannot cause data labeled at sensitivity label A to be labeled at B unless B dominates A.

The basic MAC constraint covers all classes of data. It includes restrictions on relabeling data (that is, changing the label on a data container) and on the movement of labeled data between data containers.

At various levels of the system (system call, system service utilities, etc.), this basic constraint is cast into more specific sets of rules, but always with the same basic philosophy, that data can, at most, be upgraded. For example, a first level of expansion is that processes can open for reading any of a large class of objects when the label of the process dominates the label of the object, and open for writing if the label of the object dominates that of the process.

For a regular file, write operations are further restricted to files at the same label as the process. For directories and devices, write operations are allowed if the subject SL dominates the object minimum SL and the object maximum SL dominates the subject SL. For FIFO special files (named pipes), read operations are also restricted to FIFO special files at the same label as the process for covert channel reasons.

While data can migrate to a higher sensitivity label, this capability is not required for a given object and situation. For example, the operating system itself does not let an unprivileged process open a higher label file for writing, although this is permitted under the basic MAC constraint. Whether to allow this upgrading to untrusted subjects is a matter of design and philosophy. In some cases this is useful and in some cases it is not. For example, the difficulty associated with direct writes to higher-label files is that the process cannot read these files, and so the write to a higher-label file is less than useful. However, a simple trusted utility that raised the label of a file at the request of an untrusted subject can be an acceptable and useful utility.

At the system-call level, the restriction is only on unprivileged processes. This means that privileged processes are not bound by this constraint. However, virtually all services that the trusted system performs will be designed for untrusted users, and therefore at the user-service level the constraint predominates.

The basic MAC constraint applies to all of the means that untrusted programs have at their disposal to transfer data. However, the basic MAC constraint is often broken into two components. The first component deals only with those operating system features intended for data transfer (or labeling). These features include reading and writing files and interprocess data communication, for example. The second component deals with means of communication not intended as such; these are called covert channels. It is nearly impossible to completely enforce the basic MAC constraint with respect to covert channels. For this reason, low data rate (for example, 0.1 bits per second) covert channels are allowed to exist, although only when there is a reasonable trade-off against other factors.

The basic MAC restriction is straightforward and simple, and there are relatively few detailed guidelines for dealing with multilevel data.