On Thu, 2004-10-07 at 14:52, Felipe Alfaro Solana wrote: > They are such different beasts: With DAC, permissions over resources > are managed by their owners (root or users). In a MAC-based system, a > policy governs how the system security behaves, and the policy is set > up by an administrator and obeyed by everyone. Right. Two other important differentiators between DAC and MAC beyond the issue of administratively-defined policy include: 2) Control over all processes and objects in the system (e.g. not just files), 3) Control based on all security-relevant information, not just user identity (e.g. role in which the user is acting, function and trustworthiness of the program, sensitivity/integrity of the data). DAC cannot protect against flawed or malicious programs. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
