Multilevel Security (MLS) is a means of restricting access to objects based on the sensitivity (as represented by an object sensitivity label) of the information contained in the objects and the formal authorization (as represented by a session sensitivity label) of subjects to access information of such sensitivity. Levels are composed of a hierarchical security classification and some number of categories. A level is said to dominate another level if the classification of the first is equal to or greater than the classification of the second and all of the categories of the second are included in the categories of the first. A level is said to equal another level if the classification and categories are the same. If a level dominates but is not equal to a second level, the first is said to strictly dominate the second.

Multilevel Security is enforced in Trusted RUBIX by associating sensitivity labels with subjects and objects and mediating all accesses based on those sensitivity labels. The set of sensitivity labels is partially ordered by the dominates relationship. The set of sensitivity labels and the dominates relationship form a lattice.

Subjects are assigned a session sensitivity label reflecting the maximum sensitivity of the information they are permitted to access. Objects are assigned an object sensitivity label reflecting the sensitivity of the data contained within. In general, objects are sensitivity labeled with the session sensitivity label of the creating subject. Containers, other than rows, which hold MLS protected objects (e.g., databases which hold tables), may contain objects equal to or greater than the container’s sensitivity label. Trusted RUBIX databases, catalogs, schemas, tables, views, indexes, and rows are protected containers which are MLS sensitivity labeled. A subject is permitted to read an object at a particular object sensitivity label if the session sensitivity label of the subject dominates the sensitivity label of the object. A subject is permitted to write an object at a particular object sensitivity label if the session sensitivity label of the subject is equal to the sensitivity label of the object.

Trusted RUBIX provides mandatory access control features that are built atop the mandatory access control primitives of the host operating system. The security lattice defined for the operating system is used for the Trusted RUBIX protected objects and subjects.

The clearest explanation of MAC can be provided by reviewing an example from the defense establishment. In the U.S. Department of Defense (and, naturally, other nations' defense establishments), information is assigned a security classification which reflects the sensitivity of that information i.e., UNCLASSIFIED, CONFIDENTIAL, SECRET, and TOP_SECRET. These are also referred to as hierarchical security classifications because each one “dominates” the previous. Along with the security classifications assigned to information, security clearances are assigned to people who may potentially access that information. The security clearance represents your authorization to receive information of a certain sensitivity. Whether or not you can access the information depends upon your need-to-know.

Fundamentally, it is recognized that the more sensitive a piece of information, the more tightly it should be controlled. For example, even if you have a TOP_SECRET security clearance, you probably have no business accessing TOP_SECRET missile targeting information if your job description is intercepting and translating enemy communications. The way that this problem is addressed is to embellish the security classifications with extra indicators that show specifically what audience should be granted access to the data. The security classifications are typically augmented by categories (also known as codewords or compartments). Categories often appear like nonsense words, but are of vital meaning to those who have a need to know. The combination of a classification with a set of catagories is known as a sensitivity label. Trusted RUBIX manages the storage and manipulation of its own sensitivity labels, but relies on the operating system to interpret the sensitivity labels.

MAC enforcement in Trusted RUBIX follows the six rules below:

1. A subject may read a piece of information if the subject’s session sensitivity label dominates the object sensitivity label of the information.
2. If a subject creates a piece of information, that information is sensitivity labeled with the session sensitivity label of the subject.
3. A subject can modify a row of a table if its session sensitivity label equals the object sensitivity label of the information. There are no provisions in Trusted RUBIX for an untrusted subject to write a piece of information to a higher object sensitivity label than the subject’s session sensitivity label (a write-up).
4. When two pieces of information are combined, the object sensitivity label of the resultant information must be chosen to dominate the object sensitivity labels of the original pieces of information. This is accomplished by taking the higher of the two hierarchical classifications and combining both sets of categories.
5. When a piece of information is extracted from another piece of information, it inherits a sensitivity label that dominates the label of the original piece of information.
6. Containers holding other MAC protected objects (all containers except rows) may contain objects with sensitivity labels equal to or greater than the container’s sensitivity label.