[Public Interpretations Database]

I-0239: Subject Access Revocation After Change In User Clearance

 
NUMBER:               I-0239
STATUS:               Approved by CCEVS Management and Mailed to Public Mailing
                      List

TITLE:                Subject Access Revocation After Change In User Clearance
APPROVAL POSTING:     [announce 0361]

EFFECTIVE:            1994-04-19

REQUIREMENT:          Mandatory Access Control
CRITERIA CLASSES:     B1, B2, B3, A1
DOCUMENT(S):          Trusted Facility Manual
RELATED TO:
     I-0001           Delayed Enforcement Of Authorization Change
     I-0002           Delayed Revocation Of DAC Access
     I-0003           Access Validation After Object Label Change
     I-0004           Enforcement Of Audit Settings Consistent With Protection Goals

STATEMENT:

The following interprets all of the MAC requirement.

If a system allows an administrator to change the MAC subject security database values (e.g., the clearance range for a user), the TFM shall describe how the change can be accomplished while still enforcing the system's MAC policy as specified in the security database. A procedure followed by an administrator is sufficient for the enforcement of the policy if it is easy to ensure that the values in the database control all subsequent actions (e.g., read from a file, no batch jobs run under the wrong clearance). If the procedure is too complicated, TCB enforcement shall be required.

PROJECTED IMPACT:

May have some impact.

SUPPORT:

Only a system administrator should be capable of changing a user's clearance range. Complexities lie in handling subjects queued for later execution (e.g., batch jobs). System administrators are supposed to understand the product and the system security policy that is being enforced. Procedural methods of ensuring that no relevant subjects are active while a user's clearance is being changed may not be difficult. For example, the procedure could be that the administrator must always lock a user's account and make sure that no subjects are active or queued under that user's identification before changing the user's clearance. A more supportive TCB implementation would either inform the system administrator if the change in the user's range would affect a current subject (e.g., the subject's current label is not within the new clearance range), or provide immediate enforcement of the new range. Batch jobs may be more difficult to locate, and a TCB mechanism that checks MAC and DAC attributes before executing batch jobs makes an administrative procedure unnecessary.