Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is a type of access control in which the operating system is used to constrain a user or process (the subject) from accessing or performing an operation on an object (such as a file, disk, memory etc.).
Each of the subjects and objects have a set of security attributes that can be interrogated by the operating system to check if the requested operation can be performed or not. For SELinux the:
- Subjects are processes.
- Objects are system resources such as files, sockets, etc.
- security attributes are the security context.
- Security Server within the Linux kernel authorizes access (or not) using the:
- security policy (or policy) that describes rules that must be obeyed.
Note that the subject (and therefore the user) cannot decide to bypass the policy rules being enforced by the MAC policy with SELinux enabled. Contrast this to standard Linux Discretionary Access Control (DAC), which also governs the ability of subjects to access objects, however it allows users to make policy decisions (see Processing a System Call).
SELinux supports two forms of MAC:
- Type Enforcement - Where processes run in domains and the actions on objects are controlled by the policy. This is the implementation used for general purpose MAC within SELinux. The Type Enforcement section covers this in more detail.
- Multi-Level Security - This is an implementation based on the Bell-La Padula (BLP) model, and used by organizations where different levels of access are required so that (for example in some defence / Government systems) restricted information is separated from classified information (i.e. maintaining confidentiality). This allows enforcement rules such as "no write down" and "no read up" to be implemented in a policy by extending the security context to include security levels. The Multilevel Security section covers this in more detail along with a variant of MLS called Multi-Category Security (MCS).