LOMAC's protection scheme is specifically designed to prevent possibly malicious remote entities from using the network to command local processes to modify local /etc configuration files. Unfortunately, this scenario essentially describes the purpose of pump, the client-side DHCP agent: pump modifies local configuration files such as /etc/resolv.conf on behalf of remote DHCP servers. Similarly, LOMAC's protection scheme is specifically designed to prevent processes from transferring data from low-integrity to high-integrity files. Unfortunately, this is essentially what occurs as log messages travel from low-integrity processes to the high-integrity system log file through the system log daemon, syslogd.
In both these cases, LOMAC must make an exception to allow these critical programs to operate properly. To this end, LOMAC maintains a short list of ``trusted'' programs. LOMAC never demotes processes that are running trusted programs. Being free from demotion, as long as pump and syslogd begin running at a high level, they will remain at that level and operate properly. Since trust frees a program only from LOMAC's demotion behavior, running a trusted program at the low integrity level does not provide any additional privileges. Still, the presence of trusted programs represents some risk. If a high-level process running a trusted program were compromised, LOMAC would not prevent it from harming the high-integrity part of the system.
LOMAC also uses the trusted program mechanism to make some concessions to usability. Because it demotes network-reading programs, LOMAC effectively prevents remote administration. (A level-1 process cannot modify critical configuration files, even with the root identity.) Since remote administration is critical to some real-world operations, LOMAC trusts the Secure Shell daemon sshd. This arrangement grants administrators high-level user sessions via SSH, as follows:
LOMAC demotes untrusted remote login daemons such as telnetd and rlogind as soon as they read from the network, preventing them from forking off high-level children. However, because of LOMAC's trust, high-level processes running sshd can read from the network without being demoted, and fork off high-level processes to run local user shells. With the trusted sshd acting as an un-demotable bridge to the network interface, these local user shells escape demotion themselves by interacting with the network only indirectly, through high-level pseudoterminal devices.
LOMAC also provides a trusted file upgrader, lup. When run at a high integrity level, lup allows administrators to copy low-integrity files (such as downloaded software updates) to the high-integrity area of the system, presumably after manually verifying that they represent no threat to integrity. The lup program is effectively a limited version of cp with additional logging. Only its trust-enabled escape from demotion allows it to upgrade files. Consequently, running lup from a low integrity level will not permit a user to write a high-level file.