Bell-LaPadula and Biba Together
They're definitely not mutually exclusive, because they're orthogonal, they deal with different issues altogether. One deals with confidentiality, the other with integrity. @AviD pointed out correctly that the combination of both is called the 'strong * property' which disallows reading or writing from any other level but your own. This idea was introduced to battle the problem inherent to Biba-LaPadulla: no state. If you have three levels, A, B and C, and B can read from A and write to C, then you can traverse data from A to C, even though there are no explicit rules allowing such transfer. The whole 'no state' thing is so severely limiting that the Biba-LaPadulla is really only taught to security students as the first and simplest security model, it's really a toy, an educational construct.
While technically they don't conflict, functionally they do.
It is possible to implement both, i.e.
- No Read Up
- No Write Up
- No Read Down
- No Write Down
i.e, a user can only read and write in his own classification level.
While the models explicitly support combining them (with strong * properties), I'd have difficulty figuring out why you'd want to, what situation would require such a model, and what benefit you're trying to acheive. (I admit that I've never used or seen this in practice).
This seems like you're trying to implement some form of hard separation between classes of users, and I would think there are simpler ways to do so.
Just noticed you were asking specifically about operating systems - well, other than the fact that current OS's don't support this (except perhaps with the possible exception of specialized military systems), you'd again be creating a very strong separation between classes of users. Effectively granting each class its own, unshareable space.
But more than that, assuming this would be system-wide, there would be no way to share program files, e.g. OS / system code. So, no - short of implementing strong VM's (hmm, will Qubes support this?) there would be no way of implementing this in OS (unless you limit it to part of the system, which again becomes pointless...)