[arch-general] [arch-dev-public] dropping tcp_wrapper support
Thomas S Hatch
thatch45 at gmail.com
Sun Jul 17 16:24:56 EDT 2011
On Sun, Jul 17, 2011 at 2:18 PM, Fons Adriaensen <fons at linuxaudio.org>wrote:
> On Sun, Jul 17, 2011 at 01:56:58PM -0600, Thomas S Hatch wrote:
> > I mentioned that I consider tcp_wrappers to be a DAC, someone asked me to
> > clarify on MAC and DAC systems, so I put up a blog post:
> >
> >
> http://red45.wordpress.com/2011/07/17/mac-and-dac-core-security-concepts/
>
> You equate
>
> MAC = whitelist
> DAC = blacklist
>
> Used as such they are redundant, you could just say
> white/blacklist instead. I've seen other definitions:
>
> MAC: imposed on all applications, they can't opt out
> and it doesn't require their support. According to
> this, iptables is a MAC even if can be configured
> either in whitelist or blacklist style as you show
> in your blog.
>
> DAC: voluntary, only applies to those apps that have
> been compiled or set up to use it. In this sense
> tcp_wrappers is a DAC.
>
> So we reach the same conclusion, but from different
> definitions.
>
> Ciao,
>
> --
> FA
>
>
I like it, I think that we agree, iptables is a MAC that can
be configured logically to act as a DAC, whereas tcp_wrappers is just a DAC.
I should clarify in my blog post that I am trying to show the concept of
what MAC and DAC are, rather than the implementation classification.
Thanks for the clarity :)
More information about the arch-general
mailing list