Does anyone understand MAC? I've been reading the handbook article on it:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html

but I still don't really understand it. I understand what most of the various modules do but I don't understand what the advantages of using MAC are over simple file permissions. The most confusing to me is the multi-level security module - http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac-mls.html - I just don't get it.

Can someone provide a 'MAC for dummies' type explanation?

www.trustedbsd.org have many documentations, including MAC and MLS ....

Yeah, I've seen that link before, I still don't understand though :o

What? You don't understand english?

You will need MAC if you have to implement auditing or stronger security. Basically with MAC a security administrator can define that even the owner of an object cannot to everything with his object. Usually this requirement arises in highly security sensitive areas like military, governmental or core business services.

What? You don't understand english?

Not only do I understand English, I am English.

You will need MAC if you have to implement auditing or stronger security. Basically with MAC a security administrator can define that even the owner of an object cannot to everything with his object. Usually this requirement arises in highly security sensitive areas like military, governmental or core business services.

Thanks. As I said I, more or less, understand what the individual MAC modules do but I couldn't see what advantage MAC has over proper use of file/directory permissions.

What? You don't understand english?

Come on guys... can't we contribute something a bit more than this to questions asked here?

Hey tanked, I know how you feel. I was the same when reading it ;)

Ok, but MAC is not just as file permissions. First of all, Unix has DAC - the user can choose what files have what permission. In MAC, it's enforced by the system what permission one has. The MAC implementation in FreeBSD also allows things like binding non-privilaged apps to ports bellow 1024.

With MAC it's possible to do the following: suppose you have students and a teacher.
Students will be able to write to the teacher, but not be able to read from the teacher.
The teacher will be able to read from the students, but will not be able to write to the students.

Bell-Lapadula / Biba model that is. Read more on wiki.
However, good luck, MAC is not for mortals ! ;)