Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Mandatory access control
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Linux family === [[Linux]] and many other [[Unix]] distributions have MAC for CPU (multi-ring), disk, and memory. While OS software may not manage privileges well, Linux became famous during the 1990s as being more secure and far more stable than non-Unix alternatives.{{Citation needed|date=May 2024}} The three main Linux Security Modules implementing MAC are [[SELinux]], [[AppArmor]], and [[TOMOYO Linux]].<ref name="lsm">{{cite web | url = https://linuxsecurity.com/news/security-projects/linux-security-modules-lsm-selinux-vs-apparmor-vs-tomoyo | title = Linux Security Modules Overview: SELinux, AppArmor, and TOMOYO Comparison | date = 2024-09-24 | access-date = 2025-05-05}}</ref> [[SELinux | Security-Enhanced Linux (SELinux) ]] was originally developed by the [[NSA]] and released to the Open Source community in 2000.<ref>{{cite web | url = https://www.nsa.gov/news-features/press-room/press-releases/2001/se-linux.shtml | archive-url = https://web.archive.org/web/20180918025937/https://www.nsa.gov/news-features/press-room/press-releases/2001/se-linux.shtml | archive-date = 2018-09-18 | title = National Security Agency Shares Security Enhancements to Linux | date = 2001-01-02 | work = NSA Press Release | publisher = National Security Agency Central Security Service | location = Fort George G. Meade, Maryland | access-date = 2025-05-05}}</ref> It is one of the first MAC implementations for Linux and is also one of the most popular.<ref>{{cite web | url = https://github.blog/developer-skills/programming-languages-and-frameworks/introduction-to-selinux/ | title = Introduction to SELinux | date = 2023-07-05 | access-date = 2025-05-05}}</ref> It has been incorporated into Linux kernels since v2.4, and is enabled by default on Android 5.0+ and Red Hat/Fedora. SELinux provides powerful fine-grained control which makes it suitable for high-security environments, but many users find that its power and granularity come with a high degree of complexity and a steep learning curve.<ref name="lsm" /> [[TOMOYO Linux]] is a lightweight MAC implementation for [[Linux]] and [[Embedded Linux]], developed by [[NTT Data Corporation]]. It has been merged in Linux Kernel mainline version 2.6.30 in June 2009.<ref name="Ref_b">{{cite web | title=TOMOYO Linux, an alternative Mandatory Access Control | publisher=Linux Kernel Newbies | work=Linux 2 6 30 | url=http://kernelnewbies.org/Linux_2_6_30#head-eeb259e0ba81d96d59015b8f79456d9a5283c650}}</ref> Differently from the ''label-based'' approach used by [[SELinux]], TOMOYO Linux performs a ''pathname-based'' Mandatory Access Control, separating security domains according to process invocation history, which describes the system behavior. Policy are described in terms of pathnames. A security domain is simply defined by a process call chain, and represented by a string. There are 4 modes: disabled, ''learning'', permissive, enforcing. Administrators can assign different modes for different domains. TOMOYO Linux introduced the "learning" mode, in which the accesses occurred in the kernel are automatically analyzed and stored to generate MAC policy: this mode could then be the first step of policy writing, making it easy to customize later. [[AppArmor]] is a MAC implementation which utilizes the [[Linux Security Modules]] (LSM) interface of Linux 2.6 and is incorporated into [[SUSE Linux]] and [[Ubuntu (operating system)|Ubuntu]] 7.10. LSM provides a kernel [[application programming interface|API]] that allows modules of kernel code to govern ACL (DAC ACL, access-control lists). AppArmor is not capable of restricting all programs and is optionally in the Linux kernel as of version 2.6.36.<ref name="Ref_c">{{cite web | title=Linux 2.6.36 released 20 October 2010 | publisher=Linux Kernel Newbies | work=Linux 2.6.36 | url=http://kernelnewbies.org/Linux_2_6_36}}</ref> Amon Ott's [[RSBAC]] (Rule Set Based Access Control) provides a framework for Linux kernels that allows several different security policy / decision modules. One of the models implemented is Mandatory Access Control model. A general goal of RSBAC design was to try to reach (obsolete) Orange Book (TCSEC) B1 level. The model of mandatory access control used in RSBAC is mostly the same as in Unix System V/MLS, Version 1.2.1 (developed in 1989 by the National Computer Security Center of the USA with classification B1/TCSEC). RSBAC requires a set of patches to the stock kernel, which are maintained quite well by the [[project owner]]. [[Smack (software)|Smack]] (Simplified Mandatory Access Control Kernel) is a [[Linux kernel]] [[Linux Security Modules|security module]] that protects data and process interaction from malicious manipulation using a set of custom mandatory access control rules, with simplicity as its main design goal.<ref name="Major">{{cite web|url=http://schaufler-ca.com/description_from_the_linux_source_tree |title=Official SMACK documentation from the Linux source tree |archiveurl=https://web.archive.org/web/20130501010740/http://schaufler-ca.com/description_from_the_linux_source_tree |archivedate=2013-05-01 |url-status=dead }}</ref> It has been officially merged since the Linux 2.6.25 release.<ref name="Merge">{{cite web|url=https://lwn.net/Articles/267849/ |title=More stuff for 2.6.25 |author=Jonathan Corbet |archiveurl=https://web.archive.org/web/20121102083054/http://lwn.net/Articles/267849/ |archivedate=2012-11-02 |url-status=dead }}</ref> <code>grsecurity</code> is a patch for the Linux kernel providing a MAC implementation (precisely, it is an [[RBAC]] implementation). <code>grsecurity</code> is not implemented via the [[Linux Security Modules|LSM]] API.<ref name="Ref_d">{{cite web | title=Why doesn't grsecurity use LSM? | url=http://grsecurity.net/lsm.php}}</ref> [[Astra Linux]] OS developed for [[Russian Army]] has its own mandatory access control.<ref>{{in lang|ru}} [http://astra-linux.com/klyuchevye-osobennosti.html Ключевые особенности Astra Linux Special Edition по реализации требований безопасности информации] {{Webarchive|url=https://web.archive.org/web/20140716115137/http://astra-linux.com/klyuchevye-osobennosti.html |date=2014-07-16 }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)