[Public Interpretations Database]

I-0048: Subject Sensitivity Labels With Access Class Range

 
NUMBER:               I-0048
STATUS:               Tabled
REASON:               This was tabled at the 5/95 meeting per the background,
                      but the stage was never updated.

TITLE:                Subject Sensitivity Labels With Access Class Range

REQUIREMENT:          Subject Sensitivity Labels
CRITERIA CLASSES:     B2, B3, A1
DOCUMENT(S):          <None>
RELATED TO:           <None>

STATEMENT:

The following interprets the requirement that ``A terminal user shall be able to query the TCB as desired for a display of the subject's complete sensitivity label.''

A user interacting with the TCB through a terminal session or through a window shall be able to request from the TCB the label and privilege information employed in MAC decisions made on behalf of the subject for requests issued through that session or window. If such label and privilege information associated with the session/window is constantly displayed by the TCB, no user request need be available. A user request for subject label display may kill the currently executing command but shall not kill the current session.

PROJECTED IMPACT:

Negligible impact anticipated.

SUPPORT:

The intent of the requirement under interpretation is to allow a human user to determine, with assurance, the current label and privilege information used when making MAC decisions when requests are issued. These requests can be issued in a number of different ways: through the traditional ``dumb'' terminal command interface, or through interaction with one of many windows on a screen. The interpretation states that the ability to query for this information must be available unless the information is constantly displayed by the TCB to the human user. For an constant display to satisfy this requirement, it must be clear that the label display cannot be spoofed by an untrusted subject.

The interpretation also addresses the information content resulting from the query. Subjects potentially have multiple labels: minimum labels, maximum labels, current labels, etc. Subjects may also have privileges that are used when making MAC decisions, such as the privilege to bypass MAC checks. The interpretation points out that the result of the query must include any such information that is used when making a MAC check during processing of requests through the session or window.

The last sentence of the interpretation indicates that asking for the MAC information about a session must not have the side effect of killing that session. For example, if a trusted path must be invoked to make the request, the invoking of trusted path should not kill the session, making meaningless the request (because the session in question is gone).