Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Mandatory access control
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{short description|Type of access control}} {{Distinguish|Message authentication code|Medium access control}} {{More citations needed|date=January 2018}} In [[computer security]], '''mandatory access control''' ('''MAC''') refers to a type of [[access control]] by which a [[secured environment]] (e.g., an [[operating system]] or a database) constrains the ability of a ''subject'' or ''initiator'' to access or modify on an ''object'' or ''target''.<ref>{{Cite journal|last1=Belim|first1=S. V.|last2=Belim|first2=S. Yu.|date=December 2018|title=Implementation of Mandatory Access Control in Distributed Systems|url=http://link.springer.com/10.3103/S0146411618080357|journal=Automatic Control and Computer Sciences|language=en|volume=52|issue=8|pages=1124β1126|doi=10.3103/S0146411618080357|s2cid=73725128 |issn=0146-4116|url-access=subscription}}</ref> In the case of operating systems, the subject is a process or thread, while objects are files, directories, [[Transmission Control Protocol|TCP]]/[[User Datagram Protocol|UDP]] ports, shared memory segments, or IO devices. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, the [[kernel (operating system)|operating system kernel]] examines these security attributes, examines the authorization rules (aka ''policy'') in place, and decides whether to grant access. A [[database management system]], in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc. In mandatory access control, the security policy is centrally controlled by a policy administrator and is guaranteed (in principle) to be enforced for all users. Users cannot override the policy and, for example, grant access to files that would otherwise be restricted. By contrast, [[discretionary access control]] (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions or assign security attributes. Historically and traditionally, MAC has been closely associated with [[multilevel security]] (MLS) and specialized military systems. In this context, MAC implies a high degree of rigor to satisfy the constraints of MLS systems. More recently,{{When|date=May 2024}} however, MAC has deviated out of the MLS niche and has started to become more mainstream. The more recent MAC implementations, such as [[SELinux]] and [[AppArmor]] for Linux and [[Mandatory Integrity Control]] for Windows, allow administrators to focus on issues such as network attacks and malware without the rigor or constraints of MLS.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)