Mandatory Access Control

From MgmtWiki
Jump to: navigation, search

Definition

Mandatory Access Control (MAC) and Mandatory Integrity Control (MIC) are both security models that restrict access to resources, but they focus on different goals and are emphasized in different systems.[1]

Mandatory Access Control (MAC)

What it is: A strict access control model where the operating system enforces policies defined by a central authority—not by individual users.

Used in: Unix/Linux systems (e.g., SELinux, AppArmor), military and government environments.

How it works:

Every user and resource is assigned a security label (e.g., Top Secret, Confidential).

Access is granted only if the user’s clearance matches or exceeds the resource’s classification.

Goal: Prevent unauthorized information flow and enforce confidentiality.

Example: A user with “Secret” clearance cannot access a “Top Secret” file, even if file permissions allow it.

Mandatory Integrity Control (MIC)

What it is: A Windows-specific model introduced in Windows Vista that enforces integrity levels to prevent lower-trust processes from modifying higher-trust objects.

Used in: Microsoft Windows (Vista and later).

How it works:

Objects and processes are labeled with integrity levels: Low, Medium, High, or System.

A process with a lower integrity level cannot write to or modify an object with a higher level—even if it has permission via ACLs.

Goal: Protect system integrity by isolating untrusted code (e.g., web browsers, downloaded files).

Example: A browser running in “Low” integrity can’t write to a user’s documents folder (which is “Medium”).

Key Differences

Feature MAC (Unix/Linux) MIC (Windows)
Focus Confidentiality and classification System integrity and trustworthiness
Label Type Security classification (e.g., Secret) Integrity level (e.g., Low, Medium)
Granularity User and object-based Process and object-based
Policy Control Centralized, non-discretionary Enforced by OS, layered over ACLs
Typical Use Case Military, secure servers Desktop security, sandboxing
DoD definitions Bell-LaPadula, no read up, no write down Biba, no write up, no read down
Primary risk focus Data exposure Program alterations

Discretionary = The [computing base] shall define and control access between named users and named objects (e.g. files and programs). The enforcement mechanism (e.g. Access Control Lists)shall allow users to specify and control sharing of those objects by named individuals or defined groups.

Mandatory - The [computing base] shall enforce a mandatory access control policy over all subject and storage objects(e.g. files, programs, segments and devices). These subject and objects shall be assigned sensitivity labels that are a combination of hierarchical classification levels and non-hierarchical categories. The labels shall be used as basis for Mandatory Access Control decisions.

Solutions

SELinux

stands for **Security-Enhanced Linux**—a powerful security architecture built into many Linux distributions.

  1. What Is SELinux?
    1. SELinux** is a **Linux kernel security module** that enforces **mandatory access control (MAC)** policies.
    2. It was originally developed by the **NSA** and released to the open-source community in 2000. Unlike traditional discretionary access control (DAC), where users and processes can set permissions, **SELinux policies are centrally defined and enforced**, even for root. This makes it much harder for compromised processes to escalate privileges or access unauthorized resources.
    3. Introduced into Red Hat Enterprise Linux
    4. IAndroid 4.3: SELinux introduced in permissive mode—violations were logged but not enforced.
    5. IAndroid 5.0+: Switched to enforcing mode by default, applying SELinux policies system-wide.
    6. IAndroid 8.0 (Oreo): SELinux adapted to support Project Treble, allowing vendors to maintain separate policies for their components.
    7. Android 11+: Further modularization with system_ext and product partitions, each with tailored SELinux policies.
  2. How It Works
    1. Every **process (subject)** and **resource (object)**—like files, ports, or sockets—has a **security context**.
    2. SELinux uses **type enforcement** to define what types of processes can access what types of resources.
    3. Access decisions are made by checking these contexts against a **policy database**.
  3. Modes of Operation
    1. **Enforcing**: SELinux actively blocks unauthorized actions.
    2. **Permissive**: Violations are logged but not blocked (useful for debugging).
    3. **Disabled**: SELinux is turned off.
    4. You can check and change the mode via `/etc/selinux/config` or with the `getenforce` and `setenforce` commands.
  4. Why It Matters
    1. **Limits damage** from compromised services (e.g., a hacked web server can’t access unrelated files).
    2. **Supports fine-grained control** over system behavior.
    3. **Essential for hardened environments**, especially in government, finance, and cloud deployments.

References

  1. DoD, Trusted Computer System Evaluation DoD 5200-28 STD 1985-12
Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Mandatory_Access_Control&oldid=24487"