NB MAC - Revision history

RichardHaines at 13:50, 6 September 2012

2012-09-06T13:50:42Z

←Older revision		Revision as of 13:50, 6 September 2012
Line 7:		Line 7:
	* [[NB_Objects \| Objects]] are system resources such as files, sockets, etc.		* [[NB_Objects \| Objects]] are system resources such as files, sockets, etc.
	* security attributes are the [[NB_SC \| security context]].		* security attributes are the [[NB_SC \| security context]].
-	* Security Server within the Linux kernel authorizes access (or not) using the:	+	* Security Server within the Linux kernel authorizes access (or not) using the security policy (or policy) that describes rules that must be enforced.
-	* security policy (or policy) that describes rules that must be ~~obeyed~~.	+

	Note that the subject (and therefore the user) cannot decide to bypass the policy rules being enforced by the MAC policy with SELinux enabled. Contrast this to standard Linux Discretionary Access Control (DAC), which also governs the ability of subjects to access objects, however it allows users to make policy decisions (see [http://taiga.selinuxproject.org/~rhaines/diagrams/3-processing-call.png Processing a System Call]).		Note that the subject (and therefore the user) cannot decide to bypass the policy rules being enforced by the MAC policy with SELinux enabled. Contrast this to standard Linux Discretionary Access Control (DAC), which also governs the ability of subjects to access objects, however it allows users to make policy decisions (see [http://taiga.selinuxproject.org/~rhaines/diagrams/3-processing-call.png Processing a System Call]).

Jaxelson: linked subject and object

2010-09-15T00:38:07Z

linked subject and object

←Older revision		Revision as of 00:38, 15 September 2010
Line 1:		Line 1:
	= Mandatory Access Control (MAC) =		= Mandatory Access Control (MAC) =
-	Mandatory Access Control (MAC) is a type of access control in which the operating system is used to constrain a user or process (the subject) from accessing or performing an operation on an object (such as a file, disk, memory etc.).	+	Mandatory Access Control (MAC) is a type of access control in which the operating system is used to constrain a user or process (the [[NB Subjects\|subject]]) from accessing or performing an operation on an [[NB Objects\|object]] (such as a file, disk, memory etc.).

	Each of the subjects and objects have a set of security attributes that can be interrogated by the operating system to check if the requested operation can be performed or not. For SELinux the:		Each of the subjects and objects have a set of security attributes that can be interrogated by the operating system to check if the requested operation can be performed or not. For SELinux the:

Jaxelson at 20:46, 13 September 2010

2010-09-13T20:46:54Z

←Older revision		Revision as of 20:46, 13 September 2010
Line 20:		Line 20:
	----		----
	<references/>		<references/>
		+
		+	[[Category:Notebook]]

RichardHaines: New page: = Mandatory Access Control (MAC) = Mandatory Access Control (MAC) is a type of access control in which the operating system is used to constrain a user or process (the subject) from access...

2010-05-16T13:52:31Z

New page: = Mandatory Access Control (MAC) = Mandatory Access Control (MAC) is a type of access control in which the operating system is used to constrain a user or process (the subject) from access...

New page

= Mandatory Access Control (MAC) =
Mandatory Access Control (MAC) is a type of access control in which the operating system is used to constrain a user or process (the subject) from accessing or performing an operation on an object (such as a file, disk, memory etc.).

Each of the subjects and objects have a set of security attributes that can be interrogated by the operating system to check if the requested operation can be performed or not. For SELinux the:

* [[NB_Subjects | Subjects]] are processes.
* [[NB_Objects | Objects]] are system resources such as files, sockets, etc.
* security attributes are the [[NB_SC | security context]].
* Security Server within the Linux kernel authorizes access (or not) using the:
* security policy (or policy) that describes rules that must be obeyed.

Note that the subject (and therefore the user) cannot decide to bypass the policy rules being enforced by the MAC policy with SELinux enabled. Contrast this to standard Linux Discretionary Access Control (DAC), which also governs the ability of subjects to access objects, however it allows users to make policy decisions (see [http://taiga.selinuxproject.org/~rhaines/diagrams/3-processing-call.png Processing a System Call]).

SELinux supports two forms of MAC:

# '''Type Enforcement''' - Where processes run in domains and the actions on objects are controlled by the policy. This is the implementation used for general purpose MAC within SELinux. The [[NB_TE | Type Enforcement]] section covers this in more detail.
# '''Multi-Level Security''' - This is an implementation based on the Bell-La Padula (BLP) model, and used by organizations where different levels of access are required so that (for example in some defence / Government systems) restricted information is separated from classified information (i.e. maintaining confidentiality). This allows enforcement rules such as "no write down" and "no read up" to be implemented in a policy by extending the security context to include security levels. The [[NB_MLS | Multilevel Security ]] section covers this in more detail along with a variant of MLS called Multi-Category Security (MCS).

----
<references/>