The MAC mechanism used with POSIX.6 is a label enforcement mechanism. The access decisions to read (query) objects and write (alter) objects are determined by a general concept of equivalence and dominance between the label of a process (subject) and the label of an object (file, directory, etc.). Defining dominance is left to the conforming implementation, but generally a label ``dominates'' another label if it is ``equal or higher'' in some defined structure. For example, in military terms, a label of Top Secret dominates a label of Secret. To read an object, the label of the subject must dominate the label of the object. Reading an object not only includes trying to read the contents of the file, but also trying to read any attribute portion associated with the file, i.e., the access control information, the privilege information, the contents of a directory, directory manipulation, etc. To alter an object, the label of the subject must dominate the label of the object. Manipulating the attribute information of a file is also considered writing to the file, and the MAC-write restrictions are enforced. The POSIX.6 standard does not specify any structure to the security policy that will be the basis for the labels, i.e., it does not require that a lattice model be used.
The MAC label is the item visible at the POSIX interface that is used for mandatory access control decisions. Each subject (process) and each object (files, directories, etc.) shall have a MAC label as an attribute at all times. A physically unique label is not required to be associated with each subject and object, only that a label be logically associated. For example, all the files on one system could share the same label.
The specified interfaces that are used to support the MAC mechanisms are consistent with the model that uses opaque data objects. This means that MAC labels are not manipulated directly, but a copy is placed in a system allocated working storage area, manipulated there, and written back to a permanent area. The interfaces can be grouped into two sets, interfaces that deal with subject and object labels (e.g., reading, writing, duplicating, creating, etc.) and interfaces that deal with label management (testing equivalence/dominance, validating labels, text conversion).
The subject/object interfaces include those that will get (read) and set (write) the label of an object, and get (read) and set (write) the label of the requesting process. To set the MAC label of an object requires appropriate privilege.
The label management interfaces support the following functions: