 |
This article or section is written like a personal reflection or essay and may require cleanup. Please help improve it by rewriting it in an encyclopedic style.(December 2007) |
The concept of type enforcement (TE) in the field of information technology is related to access control. Implementing TE, gives priority to “mandatory access control” (MAC) over “discretionary access control” (DAC). Access clearance is first given to a subject (e.g. process) accessing objects (e.g. files, records, messages) based on rules defined in an attached security context. A security context in a domain is defined by a domain security policy. In Linux security module (LSM) as SELinux, the security context is an extended attribute. Type enforcement implementation is a prerequisite for MAC, and a first step before “Multi-Level Security” (MLS) or its ersatz “Multi categories Security” (MCS). It is a complement of “role based access control” (RBAC).
Contents |
Control
Type enforcement implies fine grained control over the operating system, not only to have control over processes execution, but also on “domain transition” or authorization scheme. This is why it is best implemented as a kernel module, as is the case with SELinux. Using Type Enforcement is a way to implement the FLASK architecture.
Access
Using type enforcement, users may (as in Microsoft Active Directory) or may not (as in SELinux) be associated to a domain, although original type enforcement model implies so. It is always necessary to define a TE access matrix containing rules about clearance granted to given security context, or subjects rights over objects according to an authorization scheme.
Security
Practically, type enforcement, evaluate a set of rules from the source security context of a subject, against a set of rules from the target security context of the object. A clearance decision occurs depending on the TE access description (matrix…). Then, DAC or others access control (MLS / MCS, …) apply.
History
The original type enforcement model stated that labels should be attached to subject and object: a “domain label” for a subject and a “type label ” for an object. This implementation mechanism was improved by the FLASK architecture, substituting complex structures and implicit relationship. Also, the original TE access matrix was extended to others structures: lattice-based, history-based, environment-based, policy logic… This is a matter of implementation of TE by the various operating systems. In SELinux, TE implementation does not internally distinguish TE-domain from TE-types. It should be considered a weakness of TE original model to specify detailed implementation aspects such as labels and matrix, especially using the terms “domain” and “types” which have others, more generic, wide acceptance.
References
- P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments. In Proceedings of the 21st National Information Systems Security Conference, pages 303–314, October 1998. [1]
