IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [mandatory-access-control]

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, etc.

SELinux is a notable implementation of mandatory access control.

36 questions
11
votes
6 answers

What is preventing the widespread common use of MAC-type systems?

Overall question What is preventing the uptake of MAC systems such as SELinux/AppArmor in corporate and desktop computing environments? Why don't you think it isn't already widespread? I do not count "available in the operating system" as…
user2213
10
votes
3 answers

Security tradeoffs of pathname-based MAC (e.g., TOMOYO, grsecurity, AppArmor, ...)

I have been learning about MAC (Mandatory Access Control) systems in Linux. Often, but not always, these are tied to Linux Security Modules. Some systems I've looked at: SELinux, Tomoyo, AppArmor, grsecurity, Smack. As far as I understood, all…
humanityANDpeace
  • 1,412
  • 1
  • 12
  • 24
9
votes
5 answers

What is the practical difference between MAC and Capabilities

Both Mandatory Access Controls and Capabilities allow for fine grained privileges to be assigned to applications irrespective or in place of privileges inherited by the running user. Is there any practical difference between these two approaches? I…
Sonny Ordell
  • 3,476
  • 9
  • 33
  • 56
9
votes
2 answers

How is MAC useful?

I know what mandatory access control (MAC) is, but I don't see how it helps. Often it seems to be said that if you have something like SELinux or AppArmor enabled you are magically more secure. And with this, the permissions of something is…
Teipekpohkl
  • 973
  • 1
  • 3
  • 7
8
votes
3 answers

Bell-LaPadula imlementation example

I'm currently studying the Bell-LaPadula model and i need to do an implementation as an example. I understand how the model works, but I have difficulties implementing it in a programming language (for example Java). I consider to have the…
user1019710
  • 81
  • 1
  • 1
  • 3
6
votes
1 answer

What is a visible example for a mandatory access control (MAC)

I can see clearly how discretionary access control (DAC) works by checking the properties of a file on my MSWindows machine, the file has attributes and the owner of the file can do almost anything with it like making it available for everyone to…
Ulkoma
  • 8,793
  • 16
  • 65
  • 95
6
votes
2 answers

What are the practical differences between SELinux targeted mode and a capability based OS?

I recently asked a question about the differences between capabilities and mandatory access controls. Among the answers I got the point was made that systems like SE Linux in targeted mode are not a typical MAC system, as the concern is not about…
Sonny Ordell
  • 3,476
  • 9
  • 33
  • 56
5
votes
1 answer

Do AppArmor/SELinux provide any security for workstation?

I decided to harden security on my primary workstation a bit. Before I used to use firejail for certain less trusted apps (all apps with internet access) but it's kind of toy. Didn't work really well for me. So I tried to read about real tools which…
Lapsio
  • 217
  • 1
  • 9
4
votes
1 answer

Can too restrictive Linux MAC policy decrease security?

Can too restrictive MAC profile (e.x. AppArmor profile) decrease application security? For example: could it be that too restrictive environment for web browser will protect host system very well while disabling some internal browser security…
Vladimir Berlev
  • 263
  • 2
  • 8
4
votes
3 answers

Defense-In-Depth With Common Security Controls

Many operating systems implement system capabilities, Posix access controls (DAC/ACLs) and mandatory access controls (SELinux), each using different underlying security controls to provide individual layers of security, thereby implementing the…
Whome
  • 1,231
  • 11
  • 21
4
votes
1 answer

Are Linux System Capabilities Considered Mandatory Access Controls?

DAC is not mandatory because access permissions are left up to the resource owner's discretion. Mandatory Access Control (Smack, SELinux, etc) administration can only be accomplished by a process/user with CAP_MAC_ADMIN (or root). Since MAC…
Whome
  • 1,231
  • 11
  • 21
3
votes
3 answers

Apparmor system-wide security -- white-listing

I want to only white-list applications that can run on my system using Apparmor, I know it is used to confine applications/programs based on their path names, but what I need is to contain those applications to run in confinement, and everything…
securecurve
  • 153
  • 2
  • 7
3
votes
4 answers

Real value of MAC models in Linux

I have read about MAC vs. DAC in the Internet, but I still fail to understand, what kind of attack it is impossible to protect against if one only uses DAC+capabilities in comparison to MAC+DAC+capabilities. If a process does not run as root and…
Student4K
  • 131
  • 2
3
votes
1 answer

Are Bell-LaPadula and Biba models used in real big software security design?

I am currently studying both Bell-LaPadula and Biba models, I found this models too theoretical as I see the examples and I can see that there are used for designing particular services that needs particular security design that can be achieved with…
Mauricio Pastorini
  • 133
  • 4
3
votes
2 answers

Where do Access Controls Fit into the Parkerian Hexad?

The security elements of the Parkerian Hexad are: Confidentiality Possession or Control Integrity Authenticity Availability Utility Where do access controls (mandatory, discretionary and ACL) fit in?
Whome
  • 1,231
  • 11
  • 21
1
2 3