SELinux should be off by default in FC3
Stephen Smalley
sds at epoch.ncsc.mil
Thu Oct 7 18:56:03 UTC 2004
On Thu, 2004-10-07 at 14:52, Felipe Alfaro Solana wrote:
> They are such different beasts: With DAC, permissions over resources
> are managed by their owners (root or users). In a MAC-based system, a
> policy governs how the system security behaves, and the policy is set
> up by an administrator and obeyed by everyone.
Right. Two other important differentiators between DAC and MAC beyond
the issue of administratively-defined policy include:
2) Control over all processes and objects in the system (e.g. not just
files),
3) Control based on all security-relevant information, not just user
identity (e.g. role in which the user is acting, function and
trustworthiness of the program, sensitivity/integrity of the data).
DAC cannot protect against flawed or malicious programs.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the devel
mailing list