![]() Enforcement is supposed to be more imperative than for commercial applications. In this context, MAC implies an extremely high degree of robustness that assures that the control mechanisms can resist any type of subversion, thereby enabling them to enforce access controls that are mandated by order of a government such as the Executive Order 12958 for US classified information. The term mandatory in MAC has acquired a special meaning derived from its use with military systems. Early implementations of MAC such as Honeywell's SCOMP, USAF SACDIN, NSA Blacker, and Boeing's MLS LAN focused on MLS to protect military-oriented security classification levels with robust enforcement. The Trusted Computer System Evaluation Criteria (TCSEC), the seminal work on the subject, provided the original definition of MAC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity". Historically, MAC was strongly associated with multilevel security (MLS) as a means of protecting US classified information. Historical background and implications for multilevel security The more recent MAC implementations, such as SELinux and AppArmor for Linux and Mandatory Integrity Control for Windows, allow administrators to focus on issues such as network attacks and malware without the rigor or constraints of MLS. More recently, however, MAC has deviated out of the MLS niche and has started to become more mainstream. In this context, MAC implies a high degree of rigor to satisfy the constraints of MLS systems. Historically and traditionally, MAC has been closely associated with multilevel security (MLS) and specialized military systems. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users. Under MAC (and unlike DAC), users cannot override or modify this policy, either accidentally or intentionally. (The traditional Unix system of users, groups, and read-write-execute permissions is an example of DAC.) MAC-enabled systems allow policy administrators to implement organization-wide security policies. By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. ![]() With mandatory access control, this security policy is centrally controlled by a security policy administrator users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. A database management system, in its access control mechanism, can also apply mandatory access control in this case, the objects are tables, views, procedures, etc. Any operation by any subject on any object is tested against the set of authorization rules (aka policy) to determine if the operation is allowed. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Subjects and objects each have a set of security attributes. In the case of operating systems, a subject is usually a process or thread objects are constructs such as files, directories, TCP/ UDP ports, shared memory segments, IO devices, etc. In computer security, mandatory access control ( MAC) refers to a type of access control by which the operating system or database constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. JSTOR ( January 2018) ( Learn how and when to remove this template message).Unsourced material may be challenged and removed.įind sources: "Mandatory access control" – news Please help improve this article by adding citations to reliable sources. ![]() This article needs additional citations for verification.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |