Path: utzoo!attcan!uunet!husc6!mailrus!uflorida!gatech!ulysses!smb
From: smb@ulysses.homer.nj.att.com (Steven M. Bellovin)
Newsgroups: comp.unix.wizards
Subject: Re: B1 security in System V (was Re: Implications...)
Message-ID: <10855@ulysses.homer.nj.att.com>
Date: 14 Nov 88 19:15:21 GMT
References: <48300017@hcx3> <1698@cadre.dsl.PITTSBURGH.EDU> <10192@swan.ulowell.edu>
Organization: AT&T Bell Laboratories, Murray Hill
Lines: 21

In article <10192@swan.ulowell.edu>, arosen@hawk.ulowell..edu (MFHorn) writes:
> 
> What does this product do to get this rating?

I know about AT&T's System V/MLS; let me describe it a bit.  For those
who want more details, see the May/June 1988 issue of the AT&T
Technical Journal.  I'll start by quoting from the introduction:

	``System V/MLS adds several security enhancements to the
	standard UNIX system, including mandatory access controls based
	on labels consistent with the DoD classification scheme,
	improved protection of passwords, extensive auditing, boot-time
	assurance measures to detect the introduction of malicious
	code, and restriction of certain capabilities that historically
	have been responsible for security failures.

The most interesting change is the way mandatory labels are
implemented.  What's done is to reinterpret the GID.  Rather than being
used for a simple equality check, the System V/MLS GID is used as a
pointer to a label table; this table gives the security level,
compartment information, etc.