[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: SELinux should be off by default in FC3

> -----Original Message-----
> From: fedora-devel-list-bounces redhat com [mailto:fedora-devel-list-
> bounces redhat com] On Behalf Of Stephen Smalley
> On Thu, 2004-10-07 at 14:52, Felipe Alfaro Solana wrote:
> > They are such different beasts: With DAC, permissions over resources
> > are managed by their owners (root or users). In a MAC-based system, a
> > policy governs how the system security behaves, and the policy is set
> > up by an administrator and obeyed by everyone.
> Right.  Two other important differentiators between DAC and MAC beyond
> the issue of administratively-defined policy include:
> 2) Control over all processes and objects in the system (e.g. not just
> files),
> 3) Control based on all security-relevant information, not just user
> identity (e.g. role in which the user is acting, function and
> trustworthiness of the program, sensitivity/integrity of the data).
> DAC cannot protect against flawed or malicious programs.

This can't be stressed enough. SELinux is a disruptive technology, but it is
the first time that a security technology that solves some of the
fundamental security problems that are plaguing computers is available in a
mainstream operating system.


Karl MacMillan
Tresys Technology
(410)290-1411 ext 134

> --
> Stephen Smalley <sds epoch ncsc mil>
> National Security Agency
> --
> fedora-devel-list mailing list
> fedora-devel-list redhat com
> http://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]