Linkoteca. SELinux

An access control list (ACL) is a more advanced approach to security. It can implement the user/group/anonymous user approach with the basic rwx attributes but typically implementations do much more. In the case of Linux, the POSIX access control list (ACL) is usually supported.

Mandatory Access Control (MAC) is a policy-based approach that provides even more control over how security is implemented and controlled. It extends past the basic access controls of DAC and ACL to allowing an administrator to have fine grained control over what changes users can make. With DAC, a user simply needs write access to be able to change the attributes of a file or directory. The ability to create a file requires write access to the directory a file will be created in.

MAC systems normally provide the ability to specify access attributes as well as the ability to see and modify those attributes. The ability to create and delete files or directories can provide fine grain control. In addition, files and directories can have attributes that can be matched against rules that can control where and how data can be used.

MAC systems usually extend their control beyond the file system. This allows network interfaces, ports and other logical and physical devices to be monitored. This approach can even extend to services such as a system’s firewall. An application can be limited to the ports and interfaces they are allowed to use as well as the files, directories and other resources such as applications they have access to. SELinux is the MAC normally associated with Linux but there are others as well.