[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: SELinux should be off by default in FC3



> -----Original Message-----
> From: fedora-devel-list-bounces redhat com [mailto:fedora-devel-list-
> bounces redhat com] On Behalf Of Stephen Smalley
> 
> On Thu, 2004-10-07 at 14:52, Felipe Alfaro Solana wrote:
> > They are such different beasts: With DAC, permissions over resources
> > are managed by their owners (root or users). In a MAC-based system, a
> > policy governs how the system security behaves, and the policy is set
> > up by an administrator and obeyed by everyone.
> 
> Right.  Two other important differentiators between DAC and MAC beyond
> the issue of administratively-defined policy include:
> 2) Control over all processes and objects in the system (e.g. not just
> files),
> 3) Control based on all security-relevant information, not just user
> identity (e.g. role in which the user is acting, function and
> trustworthiness of the program, sensitivity/integrity of the data).
> 
> DAC cannot protect against flawed or malicious programs.
> 

This can't be stressed enough. SELinux is a disruptive technology, but it is
the first time that a security technology that solves some of the
fundamental security problems that are plaguing computers is available in a
mainstream operating system.

Karl

Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134

> --
> Stephen Smalley <sds epoch ncsc mil>
> National Security Agency
> 
> --
> fedora-devel-list mailing list
> fedora-devel-list redhat com
> http://www.redhat.com/mailman/listinfo/fedora-devel-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]