[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux should be off by default in FC3



On Thu, 2004-10-07 at 14:52, Felipe Alfaro Solana wrote:
> They are such different beasts: With DAC, permissions over resources 
> are managed by their owners (root or users). In a MAC-based system, a 
> policy governs how the system security behaves, and the policy is set 
> up by an administrator and obeyed by everyone.

Right.  Two other important differentiators between DAC and MAC beyond
the issue of administratively-defined policy include:
2) Control over all processes and objects in the system (e.g. not just
files),
3) Control based on all security-relevant information, not just user
identity (e.g. role in which the user is acting, function and
trustworthiness of the program, sensitivity/integrity of the data).

DAC cannot protect against flawed or malicious programs.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]