File System Security Policy

This section describes mandatory and discretionary access checks for the following file system objects:

• Directories - Regular directories and multilevel directories.

• Files - Regular files, executable files, device special files, and symbolic links.

Discretionary Access

The owner of the process must have discretionary search (execute) access to all directories in the path preceding the final object. Once the final object is reached, access operations can be performed as follows.

• Read from a file or list the contents of a directory - Discretionary read access is allowed when a process has discretionary search (execute) access to all directories in the object's path and discretionary read access to the object.

• Write to a file, create a file or directory, or delete a file or directory - Discretionary write access is allowed when the process has discretionary search (execute) access to all directories in the object's path and discretionary write access to the object.

• Execute a file - Discretionary execute access is allowed when the process has discretionary search (execute) access to all directories in the file's path and discretionary execute access to the file.

Mandatory Access

In addition to passing the DAC checks, mandatory search access is required to all directories in the path preceding the final file. Mandatory search access to a directory is allowed when the process sensitivity label dominates the sensitivity label of all directories in the path. Once the final file is reached, access operations can be performed as follows.

• Read from a file, execute a file, list the contents of a directory, view file security attributes, or view file security attribute flags - Mandatory read access is allowed when the process has mandatory search access to all directories in the path and the process sensitivity label dominates the sensitivity label of the final object. If the final object is a device special file, the process sensitivity label must equal the device sensitivity label.

• Write to a file, modify file security attributes, modify file security attribute flags, or delete a file - Mandatory write access is allowed when the process has discretionary and mandatory search access to all directories in the path and the file's sensitivity label dominates the process sensitivity label. If the final object is a device special file, the process sensitivity label must equal the device sensitivity label.

• Create a file or directory - Create access is write-equal. When a process creates a file, directory, or symbolic link the process sensitivity label must equal the sensitivity label of the file or directory.

File System Access Privileges

When a discretionary or mandatory access check fails on a file system object, the process can assert privilege to bypass security policy, or raise an error if the task should not be allowed at the current label or for that user.

Discretionary access is enabled as follows:

• Search access to all directories in the path preceding the final file system object is enabled when the process asserts the file_dac_search privilege.

• Read access to the final object is enabled when the process asserts the file_dac_read privilege.

• Write access to the final object is enabled when the process asserts the file_dac_write privilege.

• Execute access to the final object is enabled when the process asserts the file_dac_execute privilege.

Mandatory access is enabled as follows:

• Search access to all directories in the path preceding the final file system object is enabled when the process asserts the file_mac_search privilege.

• Read access (including execute access) to the final object is enabled when the process asserts the file_mac_read privilege.

• Write access to the final object is enabled when the process asserts the file_mac_write privilege.

• Create access to the final object is enabled when the process asserts the file_mac_write privilege.