On Sun, Jul 17, 2011 at 2:18 PM, Fons Adriaensen <fons@xxxxxxxxxxxxxx>wrote: > On Sun, Jul 17, 2011 at 01:56:58PM -0600, Thomas S Hatch wrote: > > I mentioned that I consider tcp_wrappers to be a DAC, someone asked me to > > clarify on MAC and DAC systems, so I put up a blog post: > > > > > http://red45.wordpress.com/2011/07/17/mac-and-dac-core-security-concepts/ > > You equate > > MAC = whitelist > DAC = blacklist > > Used as such they are redundant, you could just say > white/blacklist instead. I've seen other definitions: > > MAC: imposed on all applications, they can't opt out > and it doesn't require their support. According to > this, iptables is a MAC even if can be configured > either in whitelist or blacklist style as you show > in your blog. > > DAC: voluntary, only applies to those apps that have > been compiled or set up to use it. In this sense > tcp_wrappers is a DAC. > > So we reach the same conclusion, but from different > definitions. > > Ciao, > > -- > FA > > I like it, I think that we agree, iptables is a MAC that can be configured logically to act as a DAC, whereas tcp_wrappers is just a DAC. I should clarify in my blog post that I am trying to show the concept of what MAC and DAC are, rather than the implementation classification. Thanks for the clarity :)
