MAC question again
Ilmar S. Habibulin
ilmar at ints.ru
Wed Sep 29 06:32:19 GMT 1999
On Tue, 28 Sep 1999, James Buster wrote:
> } Ok. This is chmod() & chown().
> Chown is not really an access control call.
Why? It changes the meaning of permision bits.
> } And what about mac_set_fd() & mac_set_file()? Who can use this calls -
> } owner and suser, no? So what's the difference?
>
> Either is only useable by a user with appropriate privilege (and since
> it's the 1e list, the appropriate capabilities are CAP_MAC_DOWNGRADE and
> CAP_MAC_UPGRADE.
My main question is - what's the difference between DAC groups and MAC
non-hierechycal categories? Casey says that categories are mandatory when
DAC groups' access is controlled by authorized user. I'm looking at posix
draft and see, that some authorized user(owner) could change these
non-hierarchical categories in some cases. So what's the difference, why
can't i use DAC groups instead of MAC non-hierarchical categories?
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list