Kazuki Omo(Company) wrote: > 1. Does it have to provide complete "MAC" which Casey Schaufler > explained in below mail? > http://marc.info/?l=linux-kernel&m=118252843017261&w=2 > It seams to me that the term Mandatory Access Control (MAC) is used within the literature (particularly recently) to refer to a number of concepts.
*To some it implies a lattice-based access control (LBAC) (based on a model such as the Bell and LaPadula model). It is in this light that Role-Based Access Control (RBAC) is described as being neither DAC or MAC but a new paradigm (see the RBAC literature). *While some use the term to describe any non-discretionary access control (where users have no discretion over policy - for examples refer to research concerning restricting or sandboxing specific processes). This seams to be the terminology the AppArmor marketing people are using. *TCSEC defined a class of protection as "Division B: Mandatory Protection" which had various requirements which had to be met (such as system-wide data labeling etc) in order to meet that specification. I believe this is the historical definition of MAC, although like many terms its meaning has evolved past that initial definition. Within some uses it no longer describes the actual evaluation criteria, but what various people believe the essence of that type of protection means in the context of access control in general. To answer your question: I think that the fact that capabilities are included as a LSM and root plug is included as an example, it seams LSMs which provide security improvements but are not LBAC / are not non-DAC / do not meet TCSEC requirements are not excluded based on that fact. Regards, Z. Cliffe Schreuders - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
