Type enforcement

From Wikipedia, the free encyclopedia

This article or section reads like a personal reflection or essay and may require cleanup.
Please improve this article by rewriting this article or section in an encyclopedic style. (documentation, talk)

The concept of Type enforcement (TE) in the field of information technology is related to access control. Implementing TE, gives priority to “mandatory access control” (MAC) over “discretionary access control” (DAC). Access clearance is first given to a subject (e.g. process) accessing objects (e.g. files, records, messages) based on rules defined in an attached security context. A security context in a domain is defined by a domain security policy. In Linux security module (LSM) as SELinux, the security context is an extended attribute. Type enforcement implementation is a prerequisite for MAC, and a first step before “Multi-Level Security” (MLS) or its ersatz “Multi categories Security” (MCS). It is a complement of “role based access control” (RBAC).

Contents

Type Enforcement implies, fine grained control over the operating system, not only to have control over processes execution but also on “domain transition” or authorization scheme. This is why e.g. in SELinux, it is best implemented as a kernel module. Using Type enforcement is a way to implement the FLASK architecture.

Using Type enforcement, users may (Microsoft Active Directory) or may not (SELinux) be associated to a domain, although original Type enforcement model implies so. It is always necessary to define a TE access matrix containing rules about clearance granted to given security context, or subjects rights over objects according to an authorization scheme.

Practically, Type enforcement, evaluate a set of rules from the source security context of a subject, against a set of rules from the target security context of the object. A clearance decision occurs depending on the TE access description (matrix…). Then, DAC or others access control (MLS / MCS, …) apply.

The original Type enforcement model stated that labels should be attached to subject and object: a “domain label” for a subject and a “type label ” for an object. This implementation mechanism was improved by the FLASK architecture, substituting complex structures and implicit relationship. Also, the original TE access matrix was extended to others structures: lattice-based, history-based, environment-based, policy logic... This is a matter of implementation of TE by the various operating systems. In SELinux, TE implementation does not internally distinguish TE-domain from TE-types. It should be considered a weakness of TE original model to specify detailed implementation aspects such as labels and matrix, especially using the terms “domain” and “types” which have others, more generic, wide acceptance.

Retrieved from "http://en.wikipedia.org../../../t/y/p/Type_enforcement.html"
Advanced Search
Included Web Search Engines


Safe Search

close

Top Matching Results

Occasionally Search.com will highlight specialized results that are based on the context of your query. Examples of specialized results include specific links to news, images, or video.

Top Matching Results may highlight information from other Search.com pages, content from the CNET Network of sites, or third party content. The listings are based purely on relevance. Search.com does not receive payment for listings in this section but our partners that provide this data may get paid for listing these products.

Sponsored Links

This section contains paid listings which have been purchased by companies that want to have their sites appear for specific search terms and related content. These listings are administered, sorted and maintained by a third party and are not endorsed by Search.com.

Search Results

Search.com sends your search query to several search engines at one time and integrates the results into one list which has been sorted by relevance using Search.com's proprietary algorithm. You can customize the list of search engines included in your metasearch from the preferences.

The search engines that are used in your metasearch may allow companies to pay to have their Web sites included within the results. To view the Paid Inclusion policy for a specific search engine, please visit their Web site. Search.com does not accept payment or share revenue with any search engine partner for listings in this section.