MAC and DAC – core security concepts

Arch Linux just announced that they are going to remove tcp_wrapper support. This is, I think, a good idea, since iptables can cover the security issues that tcp_wrappers does, and cover them in a better way.

In the ensuing discussion I supported the removal of tcp_wrappers and I called tcp_wrappers a Discretionary Access Control (DAC) system. This raised some questions about what a MAC and DAC is. So here is a simple explanation.

Primarily a MAC (Mandatory access system) is a system where all access to a medium is restricted, and then some things are made available. So a MAC is basically a whitelist.

A DAC is a blacklist. So it allows access to everything, but restricts things one at a time.

So:

DAC = Allows all and restrict some

MAC = Restrict all and allows some

tcp_wrappers is a DAC in that it only covers a subset of the security scope. As an application authentication layer it only applies to select network applications. One could argue that from another perspective that tcp_wrappers can act as a MAC because it can use a catch all. I will argue that it is still a DAC because it only secures of subset of the network application scope.

For a final example, this would be a DAC setup in iptables:

-A INPUT -p tcp –dport 22 -j REJECT

-A INPUT -p tcp –dport 80 -j REJECT

So only ports 22 and 80 are blocked.

A MAC setup looks like this in iptables:

-A INPUT -p tcp –dport 22 -j ACCEPT

-A INPUT -p tcp –dport 80 -j ACCEPT

-A INPUT -j REJECT

So this setup has a catchall reject, to block everything and then open up a few things.

Normally we think of SELinux as a MAC, but it is more accurate to think of it as an application layer system that can be set up in a MAC fasion, but even the default SELinux setup in Red Hat is still, technically a DAC because it only covers targeted applications. Of course the “strict” SELinux policy that the NSA developed is a MAC.

I hope this helps clear up the difference for some people on how these work!