[cap-talk] Mandatory Access Control (was: What's "Discretionary Security")
Jonathan S. Shapiro
shap at eros-os.com
Wed Jan 3 14:45:41 CST 2007
On Wed, 2007-01-03 at 12:22 -0600, Karp, Alan H wrote:
> Jed wrote:
> > Is MAC
> > really just another name for MLS? If no, perhaps somebody could
> > suggest a MAC scheme that isn't MLS?
> >
> Compartments.
I don't know that I believe it, but there is a credible argument that
goes like this:
Mandatory policies govern authority, not permissions. That is: they are
information flow policies.
All enforceable information flow policies that might be labeled
mandatory prove to restrict the flow of information according to a
dominance lattice.
Therefore, MLS is in fact the *only* mandatory policy, modulo the
possibility that there might be more levels and labels in other
lattice-governed policies.
--
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
+1 443 927 1719 x5100
More information about the cap-talk
mailing list