On Sun, Jul 17, 2011 at 2:18 PM, Fons Adriaensen <fons@linuxaudio.org>wrote:
On Sun, Jul 17, 2011 at 01:56:58PM -0600, Thomas S Hatch wrote:
I mentioned that I consider tcp_wrappers to be a DAC, someone asked me to clarify on MAC and DAC systems, so I put up a blog post:
http://red45.wordpress.com/2011/07/17/mac-and-dac-core-security-concepts/
You equate
MAC = whitelist DAC = blacklist
Used as such they are redundant, you could just say white/blacklist instead. I've seen other definitions:
MAC: imposed on all applications, they can't opt out and it doesn't require their support. According to this, iptables is a MAC even if can be configured either in whitelist or blacklist style as you show in your blog.
DAC: voluntary, only applies to those apps that have been compiled or set up to use it. In this sense tcp_wrappers is a DAC.
So we reach the same conclusion, but from different definitions.
Ciao,
-- FA
I like it, I think that we agree, iptables is a MAC that can be configured logically to act as a DAC, whereas tcp_wrappers is just a DAC. I should clarify in my blog post that I am trying to show the concept of what MAC and DAC are, rather than the implementation classification. Thanks for the clarity :)