DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th July 2008
tanked tanked is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 56
Thanked 1 Time in 1 Post
Default Mandatory Access Control

Does anyone understand MAC? I've been reading the handbook article on it:

http://www.freebsd.org/doc/en_US.ISO...dbook/mac.html

but I still don't really understand it. I understand what most of the various modules do but I don't understand what the advantages of using MAC are over simple file permissions. The most confusing to me is the multi-level security module - http://www.freebsd.org/doc/en_US.ISO...k/mac-mls.html - I just don't get it.

Can someone provide a 'MAC for dummies' type explanation?
Reply With Quote
  #2   (View Single Post)  
Old 7th July 2008
richardpl richardpl is offline
Spam Deminer
 
Join Date: May 2008
Location: Croatia
Posts: 284
Thanked 25 Times in 24 Posts
Default

www.trustedbsd.org have many documentations, including MAC and MLS ....
Reply With Quote
  #3   (View Single Post)  
Old 7th July 2008
tanked tanked is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 56
Thanked 1 Time in 1 Post
Default

Yeah, I've seen that link before, I still don't understand though
Reply With Quote
  #4   (View Single Post)  
Old 8th July 2008
richardpl richardpl is offline
Spam Deminer
 
Join Date: May 2008
Location: Croatia
Posts: 284
Thanked 25 Times in 24 Posts
Default

What? You don't understand english?
Reply With Quote
  #5   (View Single Post)  
Old 8th July 2008
Darwimy Darwimy is offline
Port Guard
 
Join Date: Jun 2008
Location: Germany
Posts: 36
Thanked 2 Times in 2 Posts
Default

You will need MAC if you have to implement auditing or stronger security. Basically with MAC a security administrator can define that even the owner of an object cannot to everything with his object. Usually this requirement arises in highly security sensitive areas like military, governmental or core business services.
Reply With Quote
  #6   (View Single Post)  
Old 10th July 2008
tanked tanked is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 56
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by richardpl View Post
What? You don't understand english?
Not only do I understand English, I am English.

Quote:
Originally Posted by Jmdbh View Post
You will need MAC if you have to implement auditing or stronger security. Basically with MAC a security administrator can define that even the owner of an object cannot to everything with his object. Usually this requirement arises in highly security sensitive areas like military, governmental or core business services.
Thanks. As I said I, more or less, understand what the individual MAC modules do but I couldn't see what advantage MAC has over proper use of file/directory permissions.
Reply With Quote
  #7   (View Single Post)  
Old 10th July 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

Quote:
Originally Posted by richardpl View Post
What? You don't understand english?
Come on guys... can't we contribute something a bit more than this to questions asked here?
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #8   (View Single Post)  
Old 7th November 2008
hydra's Avatar
hydra hydra is offline
Port Guard
 
Join Date: May 2008
Location: Slovakia (Europe)
Posts: 41
Thanked 0 Times in 0 Posts
Default

Hey tanked, I know how you feel. I was the same when reading it

Ok, but MAC is not just as file permissions. First of all, Unix has DAC - the user can choose what files have what permission. In MAC, it's enforced by the system what permission one has. The MAC implementation in FreeBSD also allows things like binding non-privilaged apps to ports bellow 1024.

With MAC it's possible to do the following: suppose you have students and a teacher.
Students will be able to write to the teacher, but not be able to read from the teacher.
The teacher will be able to read from the students, but will not be able to write to the students.

Bell-Lapadula / Biba model that is. Read more on wiki.
However, good luck, MAC is not for mortals !
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sapm control from relaying allowed clients (out bound spam) osman General software and network 0 8th May 2009 05:26 AM
Revision Control Software JMJ_coder General software and network 3 10th February 2009 04:19 PM
open source web hosting control panel's crayoxide General software and network 2 28th September 2008 11:42 PM
cannot change anything in the KDE Control Center ccc FreeBSD General 4 18th June 2008 03:29 AM
mandatory access control (MAC) buba OpenBSD Security 3 22nd May 2008 07:25 PM


All times are GMT. The time now is 09:35 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick