My understanding was the main driver for this was to handle existing security systems for defense. This is one use case. And that is not the simple UNIX system which cannot handle multiple levels of data. That analogy is not appropriate to this use case.
If we don't want to handle existing military systems (at least US based ones) then I am fine with the trivial discretionary access control mechanism that UNIX represents Best, Mark Joseph P6R, Inc 408-205-0361
One thing to keep in mind is the need to keep things simple.
Consider the Unix and Windows file access control systems. The Unix model is very crude and has not changed in 30 years. There are just three classifications (user/group/others) and a few bits of persmissions. Yet, with BSD's addition of multiple groups, it gets the job done. More over, everyone understands it, and it is easy to see what is going on with ls -l. OTOH The Window's model is much more sophisticated. Full ACLs, with arbitrary permissions assignable to arbitrary (groups of) users, and inheritance, very complex environments can be modeled. But it is a complete mess. Nobody really understands it. The default tools make it impossible to understand or confirm security of a larger number of files. In order to make it usable "home groups" were introduced whose exact semantics are very vague. And all this makes the system ultimately insecure to use in practice. So I would suggest starting out with something very simple. Like just two classes of attributes, protected (z-) and normal (x-). Then see if that can be used to model what you need. Occasionally you might need to hack, such as duplicating and object, but that is OK. If needed add a bit more. Anthony
|