MAC question again
Ilmar S. Habibulin
ilmar at ints.ru
Wed Sep 29 15:56:10 GMT 1999
On Tue, 28 Sep 1999, James Buster wrote:
> On Sep 29, 10:32am, "Ilmar S. Habibulin" wrote:
> } My main question is - what's the difference between DAC groups and MAC
> } non-hierechycal categories?
> the object's MAC label, you may not have access to that object. For
> example, if your process' MAC label has categories a,b,c and the
> object's MAC label has categories a,c that process may read that
> object. However, if that object's MAC label has categories a,d you may
> not read that object.
Ok. I've got it. I will rewrite the code to support 16 MAC levels and 64
MAC categories.
> } that some authorized user(owner) could change these non-hierarchical
> } categories in some cases
> Being the owner of an object does not give you the ability to change
> anything about the MAC label of an object, including that MAC label's
> categories.
According to posix.1e: mac_set_file()
"A process can set the MAC label for a fileonly if the process has search
access to the path and has MAC write access to the file. Additionally,
only processes with an effective user ID equal to the owner of the file or
with appropriate privileges may change the label of the file."
So, MAC label is the set of MAC level and categories. Can i change
category of the file or only level?
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list