6

I can see clearly how discretionary access control (DAC) works by checking the properties of a file on my MSWindows machine, the file has attributes and the owner of the file can do almost anything with it like making it available for everyone to read, transfer the ownership to an other user or even delete it

However I cant find any visible example that I can actually see in a GUI that might help me to understand how mandatory access control (MAC) works? can I create a file under MAC? How does the file get its attributes? and how is it possible that I don't own it?

Ulkoma
  • 8,793
  • 16
  • 65
  • 95
  • Is the question specific to Windows? – Steve Dodier-Lazaro Aug 14 '14 at 10:42
  • 1
    No, I was just referring to the fact that I can see how DAC works on Windows for example – Ulkoma Aug 14 '14 at 10:44
  • From [Maharashtra state board of technical education model answers](http://msbte12.msbte.org.in/ems_s13/ems_th/model_answer_lot1/REVISED-12177.pdf): > Mandatory Access control (MAC): It is used in environments where different levels of security are classified. It is much more restrictive. It is sensitivity based restriction, formal authorization subject to sensitivity. In MAC the owner or User can not determine whether access is granted to or not. i.e. Operating system rights. Security mechanism controls access to all objects and individual can not change that access. – Rohan Chaubey Aug 14 '14 at 12:31
  • You can find a long list of implementations of Mandatory Access Control [here](https://en.wikipedia.org/wiki/Mandatory_access_control#Implementations). – eaorak Jun 21 '15 at 09:55

1 Answers1

12

There are a couple of places that you can see Mandatory Access Control (MAC) systems in operation in consumer OSs, that spring to mind.

SELinux is installed on a number of linux distributions and can be set in enforcing mode which would show an example.

Also windows Mandatory Integrity Levels are another example.

Seeing an example of this could be done by getting a Windows 8 machine and trying to modify files within a windows 8 store programs installation directory (under the hidden directory c:\program files\windowsapps). Even as an administrative user you will be prevented from changing these files via standard OS tools even after you have "taken ownership" of the file, which in a DAC system would usually allow you to modify it..

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • I don't find the "ownership" reason justified in parlance with MAC. Does MAC mean "privilege" on Windows? "Take Ownership" is a privilege, which can be assigned to users also. Where MAC is coming into picture? – Ajay Dec 18 '15 at 17:36