[cap-talk] Mandatory Access Control
Ka-Ping Yee
cap-talk at zesty.ca
Thu Jan 4 02:32:15 CST 2007
After looking around some more it is starting to appear to me
that the confusion about the terms MAC and DAC stems from the
fact that each term is used in two distinct ways:
- to refer to a quality of access control models
- to refer to a specific method (the most common method)
of implementing access control that bears that quality
In the case of DAC, the quality is "local or user-level control
over access policy" and the implementation is "objects have owners
that can edit their ACLs".
In the case of MAC, the quality is "global or system-level control
over access policy" and the implementation is "compare the subject
clearance level to object's sensitivity label".
In discussions of the terms the implementation is frequently
mistaken for the quality.
Capabilities are like neither implementation, but can be used to
provide both qualities.
-- ?!ng
More information about the cap-talk
mailing list