 | This article has multiple issues. Please helpimprove it or discuss these issues on thetalk page.(Learn how and when to remove these messages) (Learn how and when to remove this message)
|
The concept oftype enforcement (TE), in the field ofinformation technology, is an access control mechanism for regulating access in computer systems. Implementing TE gives priority tomandatory access control (MAC) overdiscretionary access control (DAC). Access clearance is first given to a subject (e.g. process) accessing objects (e.g. files, records, messages) based on rules defined in an attachedsecurity context. A security context in a domain is defined by a domain security policy. In the Linux security module (LSM) inSELinux, the security context is an extended attribute. Type enforcement implementation is a prerequisite for MAC, and a first step beforemultilevel security (MLS) or its replacementmulti categories security (MCS). It is a complement ofrole-based access control (RBAC).
Type enforcement implies fine-grained control over the operating system, not only to have control over process execution, but also overdomain transition orauthorization scheme. This is why it is best implemented as a kernel module, as is the case with SELinux. Using type enforcement is a way to implement theFLASK architecture.
Using type enforcement, users may (as inMicrosoftActive Directory) or may not (as inSELinux) be associated with a Kerberos realm, although the original type enforcement model implies so. It is always necessary to define a TE access matrix containing rules about clearance granted to a given security context, or subject's rights over objects according to an authorization scheme.
Practically, type enforcement evaluates a set of rules from the source security context of a subject, against a set of rules from the target security context of the object. A clearance decision occurs depending on the TE access description (matrix). Then, DAC or other access control mechanisms (MLS / MCS, ...) apply.
Type enforcement was introduced in theSecure Ada Target architecture in the late 1980s with a full implementation developed in the Logical Coprocessing Kernel (LOCK) system.[1][2] TheSidewinder Internet Firewall was implemented on a custom version of Unix that incorporated type enforcement.
A variant calleddomain type enforcement was developed in theTrusted MACH system.
The original type enforcement model stated that labels should be attached to subject and object: a “domain label” for a subject and a “type label” for an object. This implementation mechanism was improved by theFLASK architecture, substituting complex structures and implicit relationship. Also, the original TE access matrix was extended to other structures: lattice-based, history-based, environment-based, policy logic... This is a matter of implementation of TE by the various operating systems. In SELinux, TE implementation does not internally distinguish TE-domain from TE-types. It should be considered a weakness of TE original model to specify detailed implementation aspects such as labels and matrix, especially using the terms “domain” and “types” which have other, more generic, widely accepted meanings.
