mac-initial.html

这是很好的学习嵌入式LINUX的文章

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Explanation of MAC</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="Key Terms in this Chapter" href="mac-inline-glossary.html" />
<link rel="NEXT" title="Understanding MAC Labels" href="mac-understandlabel.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac-inline-glossary.html"
accesskey="P">后退</a></td>
<td width="80%" align="center" valign="bottom">章 15. Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="mac-understandlabel.html"
accesskey="N">前进</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-INITIAL" name="MAC-INITIAL">15.3. Explanation of
MAC</a></h1>

<p>With all of these new terms in mind, consider how the <acronym
class="ACRONYM">MAC</acronym> framework augments the security of the system as a whole.
The various policies provided by the <acronym class="ACRONYM">MAC</acronym> framework
could be used to protect the network and file systems, block users from accessing certain
ports and sockets, and more. Perhaps the best use of the policies is to blend them
together, by loading several policy modules at a time, for a multi-layered security
environment. In a multi-layered security environment, multiple policies are in effect to
keep security in check. This is different then a hardening policy, which typically
hardens elements of a system that is used only for specific purposes. The only downside
is administrative overhead in cases of multiple file system labels, setting network
access control user by user, etc.</p>

<p>These downsides are minimal when compared to the lasting effect of the framework; for
instance, the ability to pick choose which policies are required for a specific
configuration keeps performance overhead down. The reduction of support for unneeded
policies can increase the overall performance of the system as well as offer flexibility
of choice. A good implementation would consider the overall security requirements and
effectively implement the various policies offered by the framework..</p>

<p>Thus a system utilizing <acronym class="ACRONYM">MAC</acronym> features should at
least guarantee that a user will not be permitted to change security attributes at will;
all user utilities, programs and scripts must work within the constraints of the access
rules provided by the selected policies; and that total control of the <acronym
class="ACRONYM">MAC</acronym> access rules are in the hands of the system
administrator.</p>

<p>It is the sole duty of the system administrator to carefully select the correct
policies. Some environments may need to limit access control over the network; in these
cases, the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_portacl</span>(4)</span>, <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_ifoff</span>(4)</span> and even <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_biba</span>(4)</span> policies might
make good starting points. In other cases, strict confidentiality of file system objects
might be required. Policies such as <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_bsdextended</span>(4)</span> and <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_mls</span>(4)</span> exist for this
purpose.</p>

<p>Policy decisions could be made based on network configuration. Perhaps only certain
users should be permitted access to facilities provided by <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh</span>(1)</span> to access the
network or the Internet. The <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_portacl</span>(4)</span> would be the policy of choice for
these situations. But what should be done in the case of file systems? Should all access
to certain directories be severed from other groups or specific users? Or should we limit
user or utility access to specific files by setting certain objects as classified?</p>

<p>In the file system case, access to objects might be considered confidential to some
users but not to others. For an example, a large development team might be broken off
into smaller groups of individuals. Developers in project A might not be permitted to
access objects written by developers in project B. Yet they might need to access objects
created by developers in project C; that is quite a situation indeed. Using the different
policies provided by the <acronym class="ACRONYM">MAC</acronym> framework; users could be
divided into these groups and then given access to the appropriate areas without the fear
of information leakage.</p>

<p>Thus, each policy has a unique way of dealing with the overall security of a system.
Policy selection should be based on a well thought out security policy. In many cases,
the overall policy may need to be revised and reimplemented on the system. Understanding
the different policies offered by the <acronym class="ACRONYM">MAC</acronym> framework
will help administrators choose the best policies for their situations.</p>

<p>The default FreeBSD kernel does not include the option for the <acronym
class="ACRONYM">MAC</acronym> framework; thus the following kernel option must be added
before trying any of the examples or information in this chapter:</p>

<pre class="PROGRAMLISTING">
options    MAC
</pre>

<p>And the kernel will require a rebuild and a reinstall.</p>

<div class="CAUTION">
<blockquote class="CAUTION">
<p><b>注意</b>While the various manual pages for <acronym class="ACRONYM">MAC</acronym>
modules state that they may be built into the kernel, it is possible to lock the system
out of the network and more. Implementing <acronym class="ACRONYM">MAC</acronym> is much
like implementing a firewall, but care must be taken to prevent being completely locked
out of the system. The ability to revert back to a previous configuration should be
considered while the implementation of <acronym class="ACRONYM">MAC</acronym> remotely
should be done with extreme caution.</p>
</blockquote>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac-inline-glossary.html"
accesskey="P">后退</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">起点</a></td>
<td width="33%" align="right" valign="top"><a href="mac-understandlabel.html"
accesskey="N">前进</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Key Terms in this Chapter</td>
<td width="34%" align="center" valign="top"><a href="mac.html"
accesskey="U">上一级</a></td>
<td width="33%" align="right" valign="top">Understanding MAC Labels</td>
</tr>
</table>
</div>
</body>
</html>