Choose Your Weapon: MAC vs DAC

Click to Enlarge

I don’t see many articles discuss the topics of Mandatory Access Control (MAC) and Discretionary Access Control (DAC) that often but InfosecIsland.com published two nice example-based posts earlier this week. Similar to a post last year from ElectricFork on the origins of the CIA triad, these concepts are fairly fundamental and so I thought we should shed some additional light on them.

(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under News and Infosec Blogs/Podcasts. -@grecs)

Heading back to my of my favorite documents … NIST IR 7298 Revision 1 – Glossary of Key Information Security Terms [PDF] defines them as follows:

• Mandatory Access Control (MAC): A means of restricting access to system resources based on the sensitivity (as represented by a label) of the information contained in the system resource and the formal authorization (i.e., clearance) of users to access information of such sensitivity.
• Discretionary Access Control (DAC): The basis of this kind of security is that an individual user, or program operating on the user’s behalf, is allowed to specify explicitly the types of access other users (or programs executing on their behalf) may have to information under the user’s control.

Got it? Clear as mud, right?

The primary MAC concept that usually sticks with me is the “labeling” idea mentioned in the NIST definition. Some “ultimate authority” defines an appropriate label for a resource (e.g., a file). When another resource (e.g., you as a user) tries to access that file, the system makes an access decision based on your label and the file’s label. Rather than having some “ultimate authority,” DAC allows anyone with appropriate permissions (e.g., the owner of a resource) to set the access rights of the file.

Still not clear … maybe Jamie Adams, who wrote the two articles I mentioned above, can explain it better.

via InfosecIsland.com

Some system administrators do not understand Mandatory Access Control (MAC) and how it interacts with Discretionary Access Control (DAC) in Linux.

In a previous post, I stated Security-Enhanced Linux (SELinux) employs MAC rules to facilitate fine-grained security. I also discussed some of the collection of rules which form standard SELinux policies such as Targeted and Strict.

I received some emails from readers which said they weren’t clear on how MAC and DAC work together in the operating system. Since I am a hands-on guy, I love to see real-world examples, so that’s what I am going to show you.

Continued here.

Jamie goes on to illustrate the MAC and DAC concepts using several SELinux examples. You may also want to also check out his earlier post that provides some of the necessary background information.

So does it make sense now? How would you define MAC and DAC? Let us know in the comments below.

#####

Ok, so maybe the title of this post shouldn’t have started with “Choose Your Weapon” but instead how MAC and DAC can be used together to secure your systems. And if you’re interested, I found this post’s awesome image over at Int0r.com. See ya!

Related posts:

1. Another Skype XSS Vulnerability

Tags: dac, infosec, infosecisland, mac, security, selinux