SELinux should be off by default in FC3
Karl MacMillan
kmacmillan at tresys.com
Fri Oct 8 15:30:43 UTC 2004
> -----Original Message-----
> From: fedora-devel-list-bounces at redhat.com [mailto:fedora-devel-list-
> bounces at redhat.com] On Behalf Of Stephen Smalley
>
> On Thu, 2004-10-07 at 14:52, Felipe Alfaro Solana wrote:
> > They are such different beasts: With DAC, permissions over resources
> > are managed by their owners (root or users). In a MAC-based system, a
> > policy governs how the system security behaves, and the policy is set
> > up by an administrator and obeyed by everyone.
>
> Right. Two other important differentiators between DAC and MAC beyond
> the issue of administratively-defined policy include:
> 2) Control over all processes and objects in the system (e.g. not just
> files),
> 3) Control based on all security-relevant information, not just user
> identity (e.g. role in which the user is acting, function and
> trustworthiness of the program, sensitivity/integrity of the data).
>
> DAC cannot protect against flawed or malicious programs.
>
This can't be stressed enough. SELinux is a disruptive technology, but it is
the first time that a security technology that solves some of the
fundamental security problems that are plaguing computers is available in a
mainstream operating system.
Karl
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134
> --
> Stephen Smalley <sds at epoch.ncsc.mil>
> National Security Agency
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-devel-list
More information about the devel
mailing list