On Sun, Jul 17, 2011 at 01:56:58PM -0600, Thomas S Hatch wrote: > I mentioned that I consider tcp_wrappers to be a DAC, someone asked me to > clarify on MAC and DAC systems, so I put up a blog post: > > http://red45.wordpress.com/2011/07/17/mac-and-dac-core-security-concepts/ You equate MAC = whitelist DAC = blacklist Used as such they are redundant, you could just say white/blacklist instead. I've seen other definitions: MAC: imposed on all applications, they can't opt out and it doesn't require their support. According to this, iptables is a MAC even if can be configured either in whitelist or blacklist style as you show in your blog. DAC: voluntary, only applies to those apps that have been compiled or set up to use it. In this sense tcp_wrappers is a DAC. So we reach the same conclusion, but from different definitions. Ciao, -- FA
