Conference smurf::dec_mls_plus

    I think you are getting EACCES permission denied because a regular user
    is not allowed to run the chlabel command (of which chlevel is an old
    variant) from the command line because chlabel is a trusted path command.
    
    (If you put in your PATH environment variable the directories 
    	/usr/tcb/tpath /tcb/tpath /usr/tcb/bin /tcb/bin 
    in that order, then when you do a which on the command, you will more
    than likely get the drift of which ones are tpath commands, because
    they'll be in either of the tpath directories -- there are exceptions,
    of course; I think passwd is not in a tpath directory, but it is a
    tpath command -- at least it errors with  "Can only change password
    through the Trusted Path")
    
    Unprivileged users can only issue trusted patch commands from the
    Trusted Path menu:  if you are lucky, there is a built-in defined for
    the thing you are trying to do, if you are not, you have to use the
    infamously awkward "Start Application" option of the TP menu.  You can
    always add your own build-ins if you are into customization.
    
    With the chlabel command there is an X client, dxchlevel, that is the
    trusted path  version of chlabel:  "Get/Set File Label" on the TP menu.
    Note that with dxchlevel, you need to have the two command auths
    "downgrade_sl" and "downgrade_il" (see  the u_cmdpriv field in
    /tcb/files/auth record) in order to downgrade the labels on files;
    downgrade kernel or base privileges are not relevant. [Long story why
    this is as it is (i.e., confusing): deleted.]
    
    If you are Joe User running on a headless box, with no head nearby on
    which you can display the dxchevel client (or use the Start Application
    menu box to enter the chlevel command, to whichh the downgrade priv
    does apply) then you are going to have to make Joe a privileged user. 
    There are many dastardly ways to do this; the simplest is to edit
    /etc/group and put Joe in group tpath. He should be able to run trusted
    path commands from the command line; you have effectively broken
    trusted path for Joe.  You could sort of make up for that by making
    sure he is running sh and that he has all the CDPATH and PATH
    environment variables set and locked upon login; one approved way to do
    that is to make him run Rsh, the restricted shell.  That too requires a
    longer explanation.  If for some reason you need it, just ask and I'll
    rattle on.  It may not help :-)
    

    
    Me again,
    
    I've also tried changing the file's sensivity level via
    the Start Application window interface...I get to the screen
    where I can change the level and anything I type in the Level
    Field I get a bell sound -- meaning I can't change it...
    
    My userT account has downgrade_sl and downgrade_il command auths.
    
    What gives?
    
    -B

    Did you try using the "Get/Set File Label" in the trusted path?
    Do you get the same behavior there?  I guess I'm a little unclear
    on why you'd use the Start Application selection to change your
    file's SL?
    
    	Rick

    
    
    Actually, I did both, first using the Get/Set File Label from the
    Trusted Path...
    
    -Bob

re: .2:

	A quick next answer is: read the next topic, re:
	invariants, and see if any of those apply.
    
	A longer answer, taking another tack entirely, is:

	I think we need to get more specific here, because the 
	description you are giving doesn't map to my notion
	of what I think one ought to be doing.  I may just be
    	misreading; straighten me out.  For example, your statement:

>    I've also tried changing the file's sensivity level via
>    the Start Application window interface...

	Means to me that you clicked MB3 in the TP region, selected
	Start Application (pressed the A key or moved the pointer to it
	and pressed MB3), edited the contents of "The application"
	box to read "/tcb/tpath/chlabel -S 's a b' /tmp/foo" or the
	equivalent, and then clicked on the Apply or OK button.

	Does that description agree with what you did?  Because
	if it does, then the following statement does not follow:

>    I get to the screen
>    where I can change the level and anything I type in the Level
>    Field I get a bell sound -- meaning I can't change it...
    
	If the above statement was meant to follow the first statement 
	then that suggests to me that perhaps what you did was
	click on the Change button and changed _that_ label.  That 
    	label says what SL the process in "The application" box is 
    	to run at -- not the label of the file you are attempting 
	to change.  If you attempted to change the process SL to the 
	label you wanted the file to be, which is a lower label
	than what the file is now, you probably would get an EACCES,
	because the chlabel process would not dominate (read "wouldn't see"
	the file you want to change.

	Using this method to change the SL, the default Start Ap SL when 
	you log in, which is your clearance, is a good thing, so don't 
	change it.  In any case, I believe the value for the process 
	SL should dominate the SL of the file you are changing.  So
	it should be at least at the level of the file as it is
	currently ("from"), not below it ("to").
    

    re: .4
    
    So I'm not sure what you did there either, or where it failed with
    what message.  So, to get down to brass tacks, here's what you can
    tell us: 
    
    As root:
    
    1.  lslabel and ls -l of the file
    2.  lslabel and ls -l of the parent directory of the file
    3.  cat of the account's protected password database entry
    	/tcb/files/auth/{a-z}/{accountname}
    
    And, as the user other than root:
    
    4.  Describe what keys you hit, where you clicked, and what message 
    	boxes popped up telling you you couldn't do what you wanted to do.
    
    If you want to do this in realtime, call me.

    
    Thanks for the info..unfortunately I need to pack my office
    for our move to ZKO this weekend...I will get back with replies 
    to your previous message...
    
    -BobF

    In that case, come get me so I can look at it, once you move in.

    
    
    Where are you?

    ZKO3-2/X46

    The "proper" way for a non-privileged user (i.e., with only the
    downgrade_sl and downgrade_il command auths) to downgrade a file in the
    system as shipped is to use the trusted path mechanism.
    
    This means using the X interface, using the "Get/Set File Label" option
    (dxchlevel) of the Trusted Path (dxtp) menu.
    
    If you want to change the label of a file residing on a headless MLS+
    system (the target), then you must either:
    
    a.	NFS mount that file system on the MLS+ system which has a head (the
    	"source" system) to give user logged in on the console of the system 
    	access to the data.
    
    or
    
    b.	(1) give the target system display rights to the source system
    		(see "Session Access Control" on the dxtp menu, man dxhostuser,
    		xhostuser, xhost)
    	(2) rlogin/telnet to the target system
    	(3) set the display back to the source system 
    		(setenv DISPLAY hostname:0 or use -display option on client)
    	(4) run dxtp_remote client on the target system
    
    If for some reason, you cannot use X*, then you can either set up a 
    captive account and write your own genericepa or specific "chlabel"
    envelope application, or you have to break the trusted path mechanism.
    (*Note that the MLS+ SPD says that you have to have at least one
    "headded" system in a configuration.)
    
    Normally, to break trusted path, you could just (1) set the protection
    on the trusted path directories such that "other" can read and execute
    (or at least execute) and (2) put the user in the tpath group.  
    However, chlabel is not set up right now for breaking tp in this way
    (it's broken for breaking :-).