482:(Rule Set Based Access Control) provides a framework for Linux kernels that allows several different security policy / decision modules. One of the models implemented is Mandatory Access Control model. A general goal of RSBAC design was to try to reach (obsolete) Orange Book (TCSEC) B1 level. The model of mandatory access control used in RSBAC is mostly the same as in Unix System V/MLS, Version 1.2.1 (developed in 1989 by the National Computer Security Center of the USA with classification B1/TCSEC). RSBAC requires a set of patches to the stock kernel, which are maintained quite well by the
36:
276:
consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark standardization quantifying security robustness capabilities of systems and mapping them to the degrees of trust warranted for various security environments. The result was documented in CSC-STD-004-85. Two relatively independent components of robustness were defined:
235:(TCSEC), the seminal work on the subject and often known as the Orange Book, provided the original definition of MAC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity". Early implementations of MAC such as
267:. Enforcement is supposed to be more imperative than for commercial applications. This precludes enforcement by best-effort mechanisms. Only mechanisms that can provide absolute or near-absolute enforcement of the mandate are acceptable for MAC. This is a tall order and sometimes assumed unrealistic by those unfamiliar with high assurance strategies, and very difficult for those who are.
537:, permissive, enforcing. Administrators can assign different modes for different domains. TOMOYO Linux introduced the "learning" mode, in which the accesses occurred in the kernel are automatically analyzed and stored to generate MAC policy: this mode could then be the first step of policy writing, making it easy to customize later.
311:
Such an architecture prevents an authenticated user or process at a specific classification or trust-level from accessing information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown. An unknown program might comprise an
262:
The word "mandatory" in MAC has acquired a special meaning derived from its use with military systems. In this context, MAC implies an extremely high degree of robustness that assures that the control mechanisms can resist any type of subversion, thereby enabling them to enforce access controls that
307:
predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, potentially eroding consistency of evaluated products and making it easier to attain certification for less
275:
and user clearances, this implies a quantified scale for robustness. For example, more robustness is indicated for system environments containing classified "Top Secret" information and uncleared users than for one with "Secret" information and users cleared to at least "Confidential." To promote
622:
mode. Access to the labels and control mechanisms are not robustly protected from corruption in protected domain maintained by a kernel. The applications a user runs are combined with the security label at which the user works in the session. Access to information, programs and devices are only
270:
In some systems, users have the authority to decide whether to grant access to any other user. To allow that, all users have clearances for all data. This is not necessarily true of an MLS system. If individuals or processes exist that may be denied access to any of the data in the system
203:(MLS) and specialized military systems. In this context, MAC implies a high degree of rigor to satisfy the constraints of MLS systems. More recently, however, MAC has deviated out of the MLS niche and has started to become more mainstream. The more recent MAC implementations, such as
191:
In mandatory access control, the security policy is centrally controlled by a policy administrator and is guaranteed (in principle) to be enforced for all users. Users cannot override the policy and, for example, grant access to files that would otherwise be restricted. By contrast,
533:, separating security domains according to process invocation history, which describes the system behavior. Policy are described in terms of pathnames. A security domain is simply defined by a process call chain, and represented by a string. There are 4 modes: disabled,
403:
indicating the minimum IL of the process that can use the object. MIC enforces that a process can write to or delete an object only when its IL is equal to or higher than the object’s IL. Furthermore, to prevent access to sensitive data in memory,
323:
project, were certified robust enough to separate Top Secret from
Unclassified late in the last millennium. Their underlying technology became obsolete and they were not refreshed. Today there are no current implementations certified by
367:(IL) to running processes. The goal is to restrict access of less trustworthy processes to sensitive info. MIC defines five integrity levels: Low, medium, high, system, and trusted installer. By default, processes started at medium IL.
617:
uses a mandatory and system-enforced access control mechanism (MAC), where clearances and labels are used to enforce a security policy. However note that the capability to manage labels does not imply the kernel strength to operate in
299:. Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case, TCSEC level C2 (not a MAC-capable category) was fairly faithfully preserved in the Common Criteria, as the
499:
that protects data and process interaction from malicious manipulation using a set of custom mandatory access control rules, with simplicity as its main design goal. It has been officially merged since the Linux 2.6.25 release.
812:
474:
distributions have MAC for CPU (multi-ring), disk, and memory. While OS software may not manage privileges well, Linux became famous during the 1990s as being more secure and far more stable than non-Unix alternatives.
602:, implemented as part of the TrustedBSD project. It was introduced in FreeBSD 5.0. Since FreeBSD 7.2, MAC support is enabled by default. The framework is extensible; various MAC modules implement policies such as
559:
that allows modules of kernel code to govern ACL (DAC ACL, access-control lists). AppArmor is not capable of restricting all programs and is optionally in the Linux kernel as of version 2.6.36.
958:
801:
303:(CAPP). MLS Protection Profiles (such as MLSOSPP similar to B2) is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their
1053:
371:
processes receive high IL. Child processes, by default, inherit their parent's integrity, although the parent process can launch them with a lower IL. For example,
308:
trustworthy products. For these reasons, the importance of the technical details of the
Protection Profile is critical to determining the suitability of a product.
176:
ports, shared memory segments, or IO devices. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, the
196:(DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions or assign security attributes.
808:
908:
1104:
966:
188:, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.
304:
232:
228:
1082:
100:
72:
53:
1256:
284:. Both were specified with a degree of precision that warranted significant confidence in certifications based on these criteria.
215:
for
Windows, allow administrators to focus on issues such as network attacks and malware without the rigor or constraints of MLS.
1228:
1196:
79:
1057:
837:
300:
86:
1294:
405:
346:
1141:
1284:
662:
556:
119:
68:
1289:
1239:
ISO/IEC DIS 10181-3, Information
Technology, OSI Security Model, Security FrameWorks, Part 3: Access Control, 1993
862:
934:"Protection Profile for Multi-Level Operating Systems in Environments Requiring Medium Robustness, Version 1.22"
638:
259:'s MLS LAN focused on MLS to protect military-oriented security classification levels with robust enforcement.
57:
168:. In the case of operating systems, the subject is a process or thread, while objects are files, directories,
1123:
674:
169:
1265:
from a
Microsoft employee detailing Mandatory Integrity Control and how it differs from MAC implementations.
933:
656:
650:
644:
193:
1012:
729:
360:
342:
212:
20:
1220:. In Proceedings of the 21st National Information Systems Security Conference, pages 303–314, Oct. 1998.
1216:
435:" and has nothing to do with the abbreviation of "mandatory access control.") The command-line function
448:
292:
185:
93:
714:
694:
668:
544:
396:
177:
1262:
988:
704:
530:
380:
376:
912:
271:
environment, then the system must be trusted to enforce MAC. Since there can be various levels of
1299:
1214:
P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell.
1194:Ключевые особенности Astra Linux Special Edition по реализации требований безопасности информации
1108:
689:
46:
1217:
The
Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments
518:. It has been merged in Linux Kernel mainline version 2.6.30 in June 2009. Differently from the
312:
untrusted application where the system should monitor or control accesses to devices and files.
1271:
A Separation Kernel Formal
Security Policy, David Greve, Matthew Wilding, and W. Mark Vanfleet.
699:
574:
552:
496:
272:
173:
709:
264:
24:
1078:
962:
603:
515:
368:
1268:
8:
619:
607:
400:
392:
372:
356:
224:
200:
783:
320:
296:
252:
1225:
1193:
775:
755:
291:
standard is based on this science and it intended to preserve the assurance level as
133:
1243:
787:
565:
is a patch for the Linux kernel providing a MAC implementation (precisely, it is an
1008:
767:
734:
489:
388:
149:
841:
328:
to that level of robust implementation. However, some less robust products exist.
1232:
1200:
614:
288:
719:
511:
459:
to enforce a MAC security model on top of its original UID-based DAC approach.
145:
771:
1278:
888:
779:
483:
384:
352:
1259:
on the how virtualization can be used to implement
Mandatory Access Control.
584:
503:
493:
838:"Technical Rational Behind CSC-STD-003-85: Computer Security Requirements"
180:
examines these security attributes, examines the authorization rules (aka
580:
1159:
866:
540:
420:
416:
1033:
432:
236:
199:
Historically and traditionally, MAC has been closely associated with
35:
1127:
756:"Implementation of Mandatory Access Control in Distributed Systems"
724:
548:
208:
375:
launches its subprocesses with low IL. Windows controls access to
1226:
Meeting
Critical Security Objectives with Security-Enhanced Linux
1177:
595:
523:
456:
204:
452:
406:
processes can’t open processes with a higher IL for read access
316:
256:
244:
889:"DoD 5200.28-STD: Trusted Computer System Evaluation Criteria"
507:
479:
467:
428:
325:
431:
operating systems. (The word "mac" in "macOS" is short for "
566:
471:
240:
1105:"Official SMACK documentation from the Linux source tree"
424:
248:
886:
1142:"TOMOYO Linux, an alternative Mandatory Access Control"
1013:"PsExec, User Account Control and Security Boundaries"
911:. National Security Agency. 1999-10-08. Archived from
263:
are mandated by the order of a government such as the
1034:"TrustedBSD Mandatory Access Control (MAC) Framework"
555:(LSM) interface of Linux 2.6. LSM provides a kernel
439:
provides a limited high-level sandboxing interface.
909:"Controlled Access Protection Profile, Version 1.d"
184:) in place, and decides whether to grant access. A
60:. Unsourced material may be challenged and removed.
492:(Simplified Mandatory Access Control Kernel) is a
363:(MIC) in the Windows operating system, which adds
1276:
1236:Proceedings of the 2001 Ottawa Linux Symposium.
223:Historically, MAC was strongly associated with
1031:
989:"Mandatory Integrity Control in Windows Vista"
959:"Analysis of the Windows Vista Security Model"
809:National Institute of Standards and Technology
880:
754:Belim, S. V.; Belim, S. Yu. (December 2018).
1246:". Commun. ACM 56, 2 (February 2013), 52–63.
1007:
547:7.10 have added a MAC implementation called
1244:A decade of OS access-control extensibility
1121:
956:
233:Trusted Computer System Evaluation Criteria
229:classified information of the United States
152:or a database) constrains the ability of a
1025:
887:US Department of Defense (December 1985).
753:
419:has incorporated an implementation of the
218:
148:by which a secured environment (e.g., an
120:Learn how and when to remove this message
1046:
506:is a lightweight MAC implementation for
295:and the functionality specifications as
1160:"Linux 2.6.36 released 20 October 2010"
1071:
986:
950:
926:
901:
830:
760:Automatic Control and Computer Sciences
331:
1277:
939:. National Security Agency. 2001-05-23
802:"Trusted Computer Evaluation Criteria"
587:has its own mandatory access control.
1170:
1152:
1134:
1115:
1097:
1079:"Security-Enhanced Linux in Android"
1001:
980:
855:
301:Controlled Access Protection Profile
58:adding citations to reliable sources
29:
315:A few MAC implementations, such as
13:
818:from the original on 13 April 2023
347:User Interface Privilege Isolation
14:
1311:
1250:
1178:"Why doesn't grsecurity use LSM?"
1085:from the original on 19 June 2023
663:Organisation-based access control
631:
1269:GWV Formal Security Policy Model
34:
1223:P. A. Loscocco, S. D. Smalley,
1184:
1081:. Android Open Source Project.
682:
462:
451:operating system, developed by
227:(MLS) as a means of protecting
45:needs additional citations for
794:
747:
639:Attribute-based access control
1:
1208:
675:Rule-set-based access control
590:
447:Version 5.0 and later of the
359:, Microsoft has incorporated
1056:. 2007-07-07. Archived from
863:"The Common Criteria Portal"
840:. 1985-06-25. Archived from
741:
657:Lattice-based access control
651:Discretionary access control
645:Context-based access control
336:
194:discretionary access control
7:
730:Take-grant protection model
626:
573:is not implemented via the
361:Mandatory Integrity Control
343:Mandatory Integrity Control
213:Mandatory Integrity Control
21:Message authentication code
10:
1316:
1054:"sandbox_init(3) man page"
526:, TOMOYO Linux performs a
340:
186:database management system
160:to access or modify on an
69:"Mandatory access control"
18:
1295:Operating system security
772:10.3103/S0146411618080357
715:Risk-based authentication
695:Capability-based security
669:Role-based access control
442:
399:, have an entry in their
1285:Computer security models
600:Mandatory Access Control
531:Mandatory Access Control
411:
138:mandatory access control
19:Not to be confused with
1290:Computer access control
1166:. Linux Kernel Newbies.
1148:. Linux Kernel Newbies.
1124:"More stuff for 2.6.25"
178:operating system kernel
1242:Robert N. M. Watson. "
553:Linux Security Modules
219:History and background
144:) refers to a type of
16:Type of access control
710:Multiple single-level
551:, which utilizes the
265:Executive Order 12958
25:Medium access control
1032:TrustedBSD Project.
963:Symantec Corporation
705:Graham–Denning model
516:NTT Data Corporation
379:based on ILs. Named
332:In operating systems
54:improve this article
690:Bell–LaPadula model
623:weakly controlled.
620:multilevel security
608:multilevel security
373:Internet Explorer 7
297:Protection Profiles
273:data classification
225:multilevel security
201:multilevel security
1231:2017-07-08 at the
1199:2014-07-16 at the
811:. 15 August 1983.
700:Clark–Wilson model
1122:Jonathan Corbet.
957:Matthew Conover.
583:OS developed for
569:implementation).
522:approach used by
423:framework in its
134:computer security
130:
129:
122:
104:
1307:
1203:
1192:
1188:
1182:
1181:
1174:
1168:
1167:
1156:
1150:
1149:
1138:
1132:
1131:
1126:. Archived from
1119:
1113:
1112:
1107:. Archived from
1101:
1095:
1094:
1092:
1090:
1075:
1069:
1068:
1066:
1065:
1050:
1044:
1043:
1041:
1040:
1029:
1023:
1022:
1020:
1019:
1009:Mark Russinovich
1005:
999:
998:
996:
995:
984:
978:
977:
975:
974:
965:. Archived from
954:
948:
947:
945:
944:
938:
930:
924:
923:
921:
920:
905:
899:
898:
896:
895:
884:
878:
877:
875:
874:
865:. Archived from
859:
853:
852:
850:
849:
844:on July 15, 2007
834:
828:
827:
825:
823:
817:
806:
798:
792:
791:
766:(8): 1124–1126.
751:
735:Type enforcement
572:
564:
438:
365:integrity levels
150:operating system
125:
118:
114:
111:
105:
103:
62:
38:
30:
1315:
1314:
1310:
1309:
1308:
1306:
1305:
1304:
1275:
1274:
1253:
1233:Wayback Machine
1211:
1206:
1201:Wayback Machine
1190:
1189:
1185:
1176:
1175:
1171:
1158:
1157:
1153:
1140:
1139:
1135:
1120:
1116:
1103:
1102:
1098:
1088:
1086:
1077:
1076:
1072:
1063:
1061:
1052:
1051:
1047:
1038:
1036:
1030:
1026:
1017:
1015:
1006:
1002:
993:
991:
985:
981:
972:
970:
955:
951:
942:
940:
936:
932:
931:
927:
918:
916:
907:
906:
902:
893:
891:
885:
881:
872:
870:
861:
860:
856:
847:
845:
836:
835:
831:
821:
819:
815:
804:
800:
799:
795:
752:
748:
744:
739:
685:
680:
634:
629:
615:Trusted Solaris
593:
570:
562:
514:, developed by
497:security module
470:and many other
465:
445:
436:
414:
349:
341:Main articles:
339:
334:
289:Common Criteria
278:Assurance level
221:
126:
115:
109:
106:
63:
61:
51:
39:
28:
17:
12:
11:
5:
1313:
1303:
1302:
1300:Access control
1297:
1292:
1287:
1273:
1272:
1266:
1260:
1252:
1251:External links
1249:
1248:
1247:
1240:
1237:
1221:
1210:
1207:
1205:
1204:
1183:
1169:
1151:
1133:
1130:on 2012-11-02.
1114:
1111:on 2013-05-01.
1096:
1070:
1045:
1024:
1000:
979:
949:
925:
900:
879:
854:
829:
793:
745:
743:
740:
738:
737:
732:
727:
722:
720:Security modes
717:
712:
707:
702:
697:
692:
686:
684:
681:
679:
678:
672:
666:
660:
654:
648:
642:
635:
633:
632:Access control
630:
628:
625:
592:
589:
528:pathname-based
512:Embedded Linux
464:
461:
444:
441:
413:
410:
391:keys or other
351:Starting with
338:
335:
333:
330:
220:
217:
211:for Linux and
146:access control
128:
127:
42:
40:
33:
15:
9:
6:
4:
3:
2:
1312:
1301:
1298:
1296:
1293:
1291:
1288:
1286:
1283:
1282:
1280:
1270:
1267:
1264:
1261:
1258:
1255:
1254:
1245:
1241:
1238:
1235:
1234:
1230:
1227:
1222:
1219:
1218:
1213:
1212:
1202:
1198:
1195:
1187:
1179:
1173:
1165:
1161:
1155:
1147:
1143:
1137:
1129:
1125:
1118:
1110:
1106:
1100:
1084:
1080:
1074:
1060:on 2008-07-25
1059:
1055:
1049:
1035:
1028:
1014:
1010:
1004:
990:
987:Steve Riley.
983:
969:on 2008-03-25
968:
964:
960:
953:
935:
929:
915:on 2012-02-07
914:
910:
904:
890:
883:
869:on 2006-07-18
868:
864:
858:
843:
839:
833:
814:
810:
803:
797:
789:
785:
781:
777:
773:
769:
765:
761:
757:
750:
746:
736:
733:
731:
728:
726:
723:
721:
718:
716:
713:
711:
708:
706:
703:
701:
698:
696:
693:
691:
688:
687:
676:
673:
670:
667:
664:
661:
658:
655:
652:
649:
646:
643:
640:
637:
636:
624:
621:
616:
611:
609:
605:
601:
597:
588:
586:
582:
578:
576:
568:
560:
558:
554:
550:
546:
542:
538:
536:
532:
529:
525:
521:
517:
513:
509:
505:
501:
498:
495:
491:
487:
485:
484:project owner
481:
476:
473:
469:
460:
458:
454:
450:
440:
434:
430:
426:
422:
418:
409:
407:
402:
398:
394:
390:
386:
382:
378:
374:
370:
366:
362:
358:
354:
353:Windows Vista
348:
344:
329:
327:
322:
318:
313:
309:
306:
302:
298:
294:
290:
285:
283:
282:functionality
279:
274:
268:
266:
260:
258:
254:
250:
246:
242:
238:
234:
230:
226:
216:
214:
210:
206:
202:
197:
195:
189:
187:
183:
179:
175:
171:
167:
163:
159:
155:
151:
147:
143:
139:
135:
124:
121:
113:
102:
99:
95:
92:
88:
85:
81:
78:
74:
71: –
70:
66:
65:Find sources:
59:
55:
49:
48:
43:This article
41:
37:
32:
31:
26:
22:
1224:
1215:
1191:(in Russian)
1186:
1172:
1164:Linux 2.6.36
1163:
1154:
1146:Linux 2 6 30
1145:
1136:
1128:the original
1117:
1109:the original
1099:
1087:. Retrieved
1073:
1062:. Retrieved
1058:the original
1048:
1037:. Retrieved
1027:
1016:. Retrieved
1003:
992:. Retrieved
982:
971:. Retrieved
967:the original
952:
941:. Retrieved
928:
917:. Retrieved
913:the original
903:
892:. Retrieved
882:
871:. Retrieved
867:the original
857:
846:. Retrieved
842:the original
832:
820:. Retrieved
796:
763:
759:
749:
683:Other topics
612:
599:
594:
585:Russian Army
579:
561:
539:
534:
527:
519:
504:TOMOYO Linux
502:
494:Linux kernel
488:
477:
466:
463:Linux family
446:
437:sandbox_init
415:
383:, including
364:
350:
314:
310:
286:
281:
277:
269:
261:
222:
198:
190:
181:
165:
161:
157:
153:
141:
137:
131:
116:
110:January 2018
107:
97:
90:
83:
76:
64:
52:Please help
47:verification
44:
1263:Weblog post
1257:Weblog post
581:Astra Linux
520:label-based
478:Amon Ott's
357:Server 2008
305:Orange Book
1279:Categories
1209:References
1064:2008-03-15
1039:2008-03-15
1018:2007-10-08
994:2007-10-08
973:2007-10-08
943:2018-10-06
919:2008-03-15
894:2008-03-15
873:2008-03-15
848:2008-03-15
591:Other OSes
571:grsecurity
563:grsecurity
541:SUSE Linux
421:TrustedBSD
417:Apple Inc.
293:EAL levels
239:'s SCOMP,
80:newspapers
780:0146-4116
742:Footnotes
598:supports
433:Macintosh
393:processes
337:Microsoft
237:Honeywell
158:initiator
1229:Archived
1197:Archived
1083:Archived
813:Archived
788:73725128
725:Systrace
627:See also
549:AppArmor
535:learning
389:registry
369:Elevated
209:AppArmor
1089:25 June
822:25 June
677:(RSBAC)
665:(OrBAC)
596:FreeBSD
524:SELinux
457:SELinux
449:Android
397:threads
381:objects
377:objects
321:Blacker
253:Blacker
205:SELinux
154:subject
94:scholar
786:
778:
671:(RBAC)
659:(LBAC)
647:(CBAC)
641:(ABAC)
613:Sun's
545:Ubuntu
455:, use
453:Google
443:Google
317:Unisys
257:Boeing
255:, and
245:SACDIN
231:. The
182:policy
166:target
162:object
96:
89:
82:
75:
67:
937:(PDF)
816:(PDF)
805:(PDF)
784:S2CID
653:(DAC)
577:API.
508:Linux
490:Smack
480:RSBAC
468:Linux
429:macOS
412:Apple
385:files
326:TCSEC
101:JSTOR
87:books
1091:2023
824:2023
776:ISSN
606:and
604:Biba
567:RBAC
543:and
510:and
472:Unix
427:and
395:and
355:and
345:and
287:The
280:and
241:USAF
207:and
73:news
768:doi
575:LSM
557:API
425:iOS
401:ACL
251:'s
249:NSA
243:'s
174:UDP
170:TCP
164:or
156:or
142:MAC
132:In
56:by
23:or
1281::
1162:.
1144:.
1011:.
961:.
807:.
782:.
774:.
764:52
762:.
758:.
610:.
486:.
408:.
387:,
319:'
247:,
136:,
1180:.
1093:.
1067:.
1042:.
1021:.
997:.
976:.
946:.
922:.
897:.
876:.
851:.
826:.
790:.
770::
172:/
140:(
123:)
117:(
112:)
108:(
98:·
91:·
84:·
77:·
50:.
27:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.