InfoSec Notes
Understanding MAC systems where access decisions are enforced by the system based on security labels, covering Bell-LaPadula, Biba models, and SELinux.
Overview
In MAC, the system enforces access policies that cannot be overridden by resource owners. Access decisions are based on security labels (classifications) assigned to both subjects and objects by a security administrator.
MAC Model
============
Security Administrator assigns labels
Subject (User) → Security Clearance: "Secret"
Object (File) → Classification: "Confidential"
System enforces
If Clearance >= Classification → Access GRANTED
If Clearance < Classification → Access DENIED
Owner CANNOT override this decision!
Bell-LaPadula Model (Confidentiality)
Bell-LaPadula Rules
======================
Security Levels: Top Secret > Secret > Confidential > Unclassified
Simple Security Rule ("No Read Up")
A subject can only READ objects at or BELOW their clearance level.
Secret clearance → Can read Secret and below, NOT Top Secret
*-Property ("No Write Down"):
A subject can only WRITE to objects at or ABOVE their clearance level.
Secret clearance → Can write to Secret and above, NOT Confidential
Purpose: Prevents information from flowing DOWN (protects confidentiality)
Example
User: Secret clearance
✓ Read Confidential document
✓ Read Secret document
✗ Read Top Secret document
✗ Write to Confidential document (would leak Secret info down)
✓ Write to Secret document
✓ Write to Top Secret document
Biba Model (Integrity)
Biba Integrity Rules
=======================
Integrity Levels: High > Medium > Low
Simple Integrity Axiom ("No Read Down")
Subject can only READ objects at or ABOVE their integrity level.
Medium integrity → Can read Medium and High, NOT Low
*-Integrity Axiom ("No Write Up"):
Subject can only WRITE to objects at or BELOW their integrity level.
Medium integrity → Can write to Medium and Low, NOT High
Purpose: Prevents corruption from flowing UP (protects integrity)
Bell-LaPadula vs Biba (opposite rules!):
Bell-LaPadula: No read up, no write down (confidentiality)
Biba: No read down, no write up (integrity)
SELinux Implementation
# SELinux security context format:
# user:role:type:level
# View file context
$ ls -Z /etc/passwd
system_u:object_r:passwd_file_t:s0 /etc/passwd
# View process context
$ ps -eZ | grep httpd
system_u:system_r:httpd_t:s0 /usr/sbin/httpd
# SELinux policy rule:
# allow httpd_t passwd_file_t : file { read getattr };
# (httpd process can read passwd file, nothing else)
# If httpd is compromised, attacker still cannot:
# - Read /etc/shadow (shadow_t, not allowed)
# - Write to /var/www (httpd_sys_content_t write denied)
# - Execute arbitrary binaries (confined to httpd_t domain)Python MAC Simulation
Interview Questions
- What is the fundamental difference between MAC and DAC?
- In DAC, resource owners control access (discretionary). In MAC, the system enforces access based on security labels assigned by administrators — owners cannot override the system policy. MAC prevents information flow violations that DAC cannot.
- Explain the Bell-LaPadula "no read up, no write down" rules.
- No read up: Users cannot read data above their clearance (prevents unauthorized access to sensitive information). No write down: Users cannot write to lower classifications (prevents leaking sensitive information to less-secure locations). Together they enforce confidentiality.
- Why are Bell-LaPadula and Biba considered complementary?
- Bell-LaPadula protects confidentiality (prevents unauthorized disclosure). Biba protects integrity (prevents unauthorized modification). They have opposite rules because the information flow concerns are inverted. A complete system might implement both.
- How does SELinux implement MAC on Linux?
- SELinux assigns security contexts (labels) to all processes and files. Policy rules define which process types can access which file types and with what permissions. Even root processes are confined to their security domain, preventing privilege escalation beyond the policy.
- What are the practical limitations of MAC?
- Complex to administer, rigid (may impede productivity), difficult to define all necessary policies upfront, users may find workarounds, and the "no write down" rule can prevent legitimate business operations. Often combined with RBAC for practical deployments.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Mandatory Access Control (MAC).
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, access, control, mandatory, mac
Related Information Security Topics