Dominance relationships between security labels

Mandatory access checking is based on the dominance relationships between user security labels and object security labels. One security label dominates another security label in certain conditions.

  • The security level that defines the first security label is greater than or equal to the security level that defines the second security label.
  • The set of security categories that defines one security label includes the set of security categories that defines the other security label.

Comparisons between user security labels and object security labels can result in four types of relationships:

Dominant
One security label dominates another security label when both of the following conditions are true:
  • The security level that defines the first security label is greater than or equal to the security level that defines the second security label.
  • The set of security categories that defines the first security label includes the set of security categories that defines the other security label.
Reading data requires that the user security label dominates the data security label.
Reverse dominant
One security label reverse dominates another security label when both of the following conditions are true:
  • The security level that defines the first security label is less than or equal to the security level that defines the second security label.
  • The set of security categories that defines the first security label is a subset of the security categories that defines the other security label.
Equivalent
One security label is equivalent to another security label when they are the same or have the same level and set of categories. If both dominance and reverse dominance are true for two security labels, they are equivalent. The user security label must be equivalent to the data security label to be able to read and write data without being able to write down.
Disjoint
A security label is disjoint or incompatible with another security label if incompatible security categories cause neither security label to dominate the other security label. Two security labels are disjoint when each of them has at least one category that the other does not have. Disjoint access is not allowed, even when a user is allowed to write down. If a user security label that is disjoint to the data security label issues an INSERT, UPDATE, or LOAD command, Db2 issues an error.

Example: Suppose that the security level "secret" for the security label HIGH is greater than the security level "sensitive" for the security label MEDIUM. Also, suppose that the security label HIGH includes the security categories Project_A, Project_B, and Project_C, and that the security label MEDIUM includes the security categories Project_A and Project_B. The security label HIGH dominates the security label MEDIUM because both conditions for dominance are true.

Example: Suppose that the security label HIGH includes the security categories Project_A, Project_B, and Project_C, and that the security label MEDIUM includes the security categories Project_A and Project_Z. In this case, the security label HIGH does not dominate the security label MEDIUM because the set of security categories that define the security label HIGH does not contain the security category Project_Z.