> -----Original Message----- > From: fedora-devel-list-bounces@xxxxxxxxxx [mailto:fedora-devel-list- > bounces@xxxxxxxxxx] On Behalf Of Stephen Smalley > > On Thu, 2004-10-07 at 14:52, Felipe Alfaro Solana wrote: > > They are such different beasts: With DAC, permissions over resources > > are managed by their owners (root or users). In a MAC-based system, a > > policy governs how the system security behaves, and the policy is set > > up by an administrator and obeyed by everyone. > > Right. Two other important differentiators between DAC and MAC beyond > the issue of administratively-defined policy include: > 2) Control over all processes and objects in the system (e.g. not just > files), > 3) Control based on all security-relevant information, not just user > identity (e.g. role in which the user is acting, function and > trustworthiness of the program, sensitivity/integrity of the data). > > DAC cannot protect against flawed or malicious programs. > This can't be stressed enough. SELinux is a disruptive technology, but it is the first time that a security technology that solves some of the fundamental security problems that are plaguing computers is available in a mainstream operating system. Karl Karl MacMillan Tresys Technology http://www.tresys.com (410)290-1411 ext 134 > -- > Stephen Smalley <sds@xxxxxxxxxxxxxx> > National Security Agency > > -- > fedora-devel-list mailing list > fedora-devel-list@xxxxxxxxxx > http://www.redhat.com/mailman/listinfo/fedora-devel-list
