Information Labels

next up previous contents
Next: Information Labeling Mechanism Up: POSIX Security Interfaces Previous: MAC Labeling Mechanism

Information Labels

There may be instances where security-relevant information (perhaps in a label form) should be associated with subjects and objects and that these labels may not, in general, be used for mandatory access control decisions. Thus, in addition to MAC labeling, the POSIX.6 standard provides a mechanism for data labeling, which makes use of information labels.

Information labels can contain information such as the origin of the object (e.g., that it was created locally, copied from a remote machine, or supplied by a vendor.) a release marking, warning notices pertaining to the object, DAC advisories, project related information, etc. These labels, in general, can be used to support a ``data labeling'' policy, as opposed to ``sensitivity labeling'' policies supported by MAC labels.

In addition to the above uses, information labels can be used to trace data flow through a system by using the ``float'' feature that is unique to these labels. For example, new software that is being introduced into the system for the first time could be labeled ``suspect''. As the new software is used, the files that become associated with the software would, because of the float feature, become marked in the information label as ``suspect'' and having this association. If problems occur with the new software, it becomes very easy to see what files have been associated with the software.

John Barkley
Fri Oct 7 16:17:21 EDT 1994