On Wednesday, 12/24/2008 at 01:32 EST, Rick Troth <[email protected]> wrote:
> Since many of us are accustomed to MAC being a certain 48-bit address, > here the acronym MAC here means "mandatory access controls" contrast > with than "media access controller". In the latter (DAC), the D is > "discretionary". The idea is that with traditional software systems > certain full-access modes require DISCRETION in the code so that > bad things do not happen. But if that code can be compromised or if > it contains back-door functions then MANDATORY control is warranted. Not quite, Rick. "Discretionary" refers to decisions made by people, not code. That is, access is at the *discretion* of the system admin or resource owner. "Mandatory" refers to a set of rules that are capable of overriding the wishes of the user. When MAC is enabled, all accesses under discretionary control are automatically placed under mandatory access control. There may be additional mandatory controls established for which no DAC exists. (VM example of the latter point: CP MSG) The ability to compromise code or the existence of back-door functions is not relevant. Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
