From owner-freebsd-security  Tue Oct 14 08:46:53 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id IAA25284
          for security-outgoing; Tue, 14 Oct 1997 08:46:53 -0700 (PDT)
          (envelope-from owner-freebsd-security)
Received: from stt3.com (root@stt3.com [198.107.49.1])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA25264;
          Tue, 14 Oct 1997 08:46:47 -0700 (PDT)
          (envelope-from beattie@stt3.com)
Received: from durin(really [192.168.0.88]) by stt3.com
	via sendmail with smtp
	id <m0xL9AR-00009IC@stt3.com>
	for <freebsd-hackers@FreeBSD.ORG>; Tue, 14 Oct 1997 08:45:55 -0700 (PDT)
	(Smail-3.2 1996-Jul-4 #1 built 1997-Mar-5)
Date: Tue, 14 Oct 1997 08:45:54 -0700 (PDT)
From: Brian Beattie <beattie@stt3.com>
X-Sender: beattie@durin
To: "Matthew D. Fuller" <fullermd@futuresouth.com>
cc: Christopher Petrilli <petrilli@amber.org>,
        Brian Mitchell <brian@firehouse.net>,
        Colman Reilly <careilly@monoid.cs.tcd.ie>,
        Douglas Carmichael <dcarmich@mcs.com>, freebsd-hackers@FreeBSD.ORG,
        freebsd-security@FreeBSD.ORG
Subject: Re: C2 Trusted FreeBSD? 
In-Reply-To: <Pine.BSF.3.96.971013205059.3769F-100000@shell.futuresouth.com>
Message-ID: <Pine.GSO.3.95.971014084124.1809G-100000@durin>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 13 Oct 1997, Matthew D. Fuller wrote:

> On Mon, 13 Oct 1997, Christopher Petrilli wrote:
> 
> > >I'm fairly certain acl is _not_ a requirement in the dcl segment of c2.
> > >acl is, after all, just another form of group control at its very base.
> > 
> > It is not "mandatory," however the following paragraph exerpted from the 
> > TCSEC does make it clear that the exisintg group mechanism is NOT 
> > acceptable:
> > 
> >      "The access controls shall be capable of including or excluding 
> > access
> >       to the granulairty of a single user."
> I could be just being stupid here, but can't you do this by making
> everyone a member of a group with their login ID, and them only as a
> member and setting the file to (owner).user, mode 707, or something?
> Wouldn't that give everyone but that persona ccess to it?
> Did anyone even follow that?  not too clear, is it...
> 

Some people often read this requirement to mean that it must be possible
to set access rights on a file to exclude some arbitrary set of users.  To
do this you need one group for each permutation of users.  Techincally
possible but infeasable.  In fact I agree with your interpretation and I
believe so do the evaluators and most people in the INFOSEC community.