From owner-freebsd-security  Tue Oct 14 08:38:55 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id IAA24551
          for security-outgoing; Tue, 14 Oct 1997 08:38:55 -0700 (PDT)
          (envelope-from owner-freebsd-security)
Received: from stt3.com (root@stt3.com [198.107.49.1])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA24542;
          Tue, 14 Oct 1997 08:38:50 -0700 (PDT)
          (envelope-from beattie@stt3.com)
Received: from durin(really [192.168.0.88]) by stt3.com
	via sendmail with smtp
	id <m0xL92i-00009EC@stt3.com>
	for <freebsd-security@FreeBSD.ORG>; Tue, 14 Oct 1997 08:37:56 -0700 (PDT)
	(Smail-3.2 1996-Jul-4 #1 built 1997-Mar-5)
Date: Tue, 14 Oct 1997 08:37:54 -0700 (PDT)
From: Brian Beattie <beattie@stt3.com>
X-Sender: beattie@durin
To: Christopher Petrilli <petrilli@amber.org>
cc: Brian Mitchell <brian@firehouse.net>,
        Colman Reilly <careilly@monoid.cs.tcd.ie>,
        Douglas Carmichael <dcarmich@mcs.com>, freebsd-hackers@FreeBSD.ORG,
        freebsd-security@FreeBSD.ORG
Subject: Re: C2 Trusted FreeBSD? 
In-Reply-To: <199710132110.RAA29578@dworkin.amber.org>
Message-ID: <Pine.GSO.3.95.971014083012.1809E-100000@durin>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 13 Oct 1997, Christopher Petrilli wrote:

> It is not "mandatory," however the following paragraph exerpted from the 
> TCSEC does make it clear that the exisintg group mechanism is NOT 
> acceptable:
> 
>      "The access controls shall be capable of including or excluding 
> access
>       to the granulairty of a single user."
> 
> This exclusion part is what makes it very difficult.  You must be capable 
> of giving access to everyone BUT a specific user.  While theoretically I 
> guess you could do it by managing billions of sepereate groups, I think 
> it would fail none the less because of practical enforcement concerns.
> 

This is an over-rigous reading of this requirement.  The Gould (B1?)
system made it clear that UNIX access control meets this requirement.
This can be understood when you read the requirement to say that: it must
be possible to exclude access to an object by one particular user.  This
does not say that the system must provide a mechanizim to exclude access
to an object by everyuser on a user-by-user basis, a requirement every
system would fail.

When reading the Orange Book, remember that to meet the requirements it is
in general sufficent to meet only the minumum requirements.  The authors
were very careful is laying out the requirements with-out makeing
asumptions on how they might be met.