mac-inline-glossary.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Key Terms in this Chapter</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="Mandatory Access Control" href="mac.html" />
<link rel="NEXT" title="Explanation of MAC" href="mac-initial.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac.html"
accesskey="P">后退</a></td>
<td width="80%" align="center" valign="bottom">章 15. Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="mac-initial.html"
accesskey="N">前进</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-INLINE-GLOSSARY" name="MAC-INLINE-GLOSSARY">15.2. Key Terms
in this Chapter</a></h1>

<p>Before reading this chapter, a few key terms must be explained. This will hopefully
clear up any confusion that may occur and avoid the abrupt introduction of new terms and
information.</p>

<ul>
<li>
<p><span class="emphasis"><i class="EMPHASIS">compartment</i></span>: A compartment is a
a set of programs and data to be partitioned or separated, where users are given explicit
access to specific components of a system. Also, a compartment represents a grouping,
such as a work group, department, project, or topic. Using compartments, it is possible
to implement a need-to-know policy.</p>
</li>

<li>
<p><span class="emphasis"><i class="EMPHASIS">integrity</i></span>: Integrity, as a key
concept, is the level of trust which can be placed on data. As the integrity of the data
is elevated, so does the ability to trust that data.</p>
</li>

<li>
<p><span class="emphasis"><i class="EMPHASIS">label</i></span>: A label is a security
attribute which can be applied to files, directories, or other items in the system. It
could be considered to be a confidentiality stamp; when a label is placed on a file it
describes the security properties for that specific file and will only permit access by
files, users, resources, etc. with a similar security setting. The meaning and
interpretation of label values depends on the policy: while some policies might treat a
label as representing the integrity or secrecy of an object, other policies might use
labels to hold rules for access.</p>
</li>

<li>
<p><span class="emphasis"><i class="EMPHASIS">level</i></span>: The increased or
decreased setting of a security attribute. As the level increases, its security is
considered to elevate as well.</p>
</li>

<li>
<p><span class="emphasis"><i class="EMPHASIS">multilabel</i></span>: The <var
class="OPTION">multilabel</var> property is a file system option which can be set in
single user mode using the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">tunefs</span>(8)</span> utility; set during the boot operation
using the <span class="CITEREFENTRY"><span class="REFENTRYTITLE">fstab</span>(5)</span>
file; or during the creation of a new file system. This option will permit an
administrator to apply different <acronym class="ACRONYM">MAC</acronym> labels on
different objects. This option only applies to policies labeled policies.</p>
</li>

<li>
<p><span class="emphasis"><i class="EMPHASIS">object</i></span>: An object or system
object is an entity through which information flows under the direction of a <span
class="emphasis"><i class="EMPHASIS">subject</i></span>. This includes directories,
files, fields, screens, keyboards, memory, magnetic storage, printers or any other data
storage/moving device. Basically, an object is a data container or a system resource;
access to an <span class="emphasis"><i class="EMPHASIS">object</i></span> effectively
means access to the data.</p>
</li>

<li>
<p><span class="emphasis"><i class="EMPHASIS">policy</i></span>: A collection of rules
which defines how objectives are to be achieved. A <span class="emphasis"><i
class="EMPHASIS">policy</i></span> usually documents how certain items are to be handled.
This chapter will consider the term <span class="emphasis"><i
class="EMPHASIS">policy</i></span> in this context as a <span class="emphasis"><i
class="EMPHASIS">security policy</i></span>; i.e. a collection of rules which will
control the flow of data and information and define whom will have access to that data
and information.</p>
</li>

<li>
<p><span class="emphasis"><i class="EMPHASIS">sensitivity</i></span>: Usually used when
discussing <acronym class="ACRONYM">MLS</acronym>. A sensitivity level is a term used to
describe how important or secret the data should be. As the sensitivity level increases,
so does the importance of the data.</p>
</li>

<li>
<p><span class="emphasis"><i class="EMPHASIS">single label</i></span>: A single label is
when the entire file system uses one label to enforce access control over the flow of
data. When a file system has this set, which is any time when the <var
class="OPTION">multilabel</var> option is not set, all files will conform to the same
label setting.</p>
</li>

<li>
<p><span class="emphasis"><i class="EMPHASIS">subject</i></span>: a subject is any active
entity that causes information to flow between <span class="emphasis"><i
class="EMPHASIS">objects</i></span>; e.g. a user, user processor, system process, etc. On
FreeBSD, this is almost always a thread acting in a process on behalf of a user.</p>
</li>
</ul>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac.html" accesskey="P">后退</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">起点</a></td>
<td width="33%" align="right" valign="top"><a href="mac-initial.html"
accesskey="N">前进</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Mandatory Access Control</td>
<td width="34%" align="center" valign="top"><a href="mac.html"
accesskey="U">上一级</a></td>
<td width="33%" align="right" valign="top">Explanation of MAC</td>
</tr>
</table>
</div>
</body>
</html>