A few questions
Stephen Smalley
sds at tycho.nsa.gov
Thu Sep 21 14:53:53 UTC 2006
On Thu, 2006-09-21 at 10:15 -0400, Christopher J. PeBenito wrote:
> On Thu, 2006-09-21 at 15:07 +0200, Salvo Giuffrida wrote:
> > - What makes the access control of SELinux "mandatory"? The fact that normal
> > users can't change the security policy?
>
> Yes. Policy only is set by the admin.
Mandatory access control implies a bit more than just admin-only policy
(otherwise AppArmor would qualify, as would many other things). In
particular, we identify three properties for MAC:
- complete mediation (control over all processes and objects),
- complete and accurate basis for security decisions (decisions based on
all security relevant information, and accurately reflecting the
security properties of the process and object),
- administrator-defined policy.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list