The translation is temporarily closed for contributions due to maintenance, please come back later.

Translation

(itstool) path: sect1/para
English
While this chapter covers a broad range of security issues relating to the <acronym>MAC</acronym> framework, the development of new <acronym>MAC</acronym> security policy modules will not be covered. A number of security policy modules included with the <acronym>MAC</acronym> framework have specific characteristics which are provided for both testing and new module development. Refer to <citerefentry><refentrytitle>mac_test</refentrytitle><manvolnum>4</manvolnum></citerefentry>, <citerefentry><refentrytitle>mac_stub</refentrytitle><manvolnum>4</manvolnum></citerefentry> and <citerefentry><refentrytitle>mac_none</refentrytitle><manvolnum>4</manvolnum></citerefentry> for more information on these security policy modules and the various mechanisms they provide.
Context English Chinese (Simplified) (zh_CN) State
A local <acronym>DHCP</acronym> server can be configured to provide this address for a local <acronym>DNS</acronym> server, providing automatic configuration on <acronym>DHCP</acronym> clients. 可以将本地<acronym>DHCP</acronym>服务器配置为为本地<acronym>DNS</acronym>服务器提供此地址,从而在<acronym>DHCP</acronym>客户端上提供自动配置。
Mandatory Access Control 强制访问控制
<primary>MAC</primary> <primary>MAC</primary>
<primary>Mandatory Access Control</primary> <see>MAC</see> <primary>强制访问控制</primary> <see>MAC</see>
FreeBSD supports security extensions based on the <trademark class="registered">POSIX</trademark>.1e draft. These security mechanisms include file system Access Control Lists (<xref linkend="fs-acl"/>) and Mandatory Access Control (<acronym>MAC</acronym>). <acronym>MAC</acronym> allows access control modules to be loaded in order to implement security policies. Some modules provide protections for a narrow subset of the system, hardening a particular service. Others provide comprehensive labeled security across all subjects and objects. The mandatory part of the definition indicates that enforcement of controls is performed by administrators and the operating system. This is in contrast to the default security mechanism of Discretionary Access Control (<acronym>DAC</acronym>) where enforcement is left to the discretion of users. FreeBSD 支持基于 <trademark class="registered">POSIX</trademark>.1e 草案的安全扩展。这些安全机制包括文件系统访问控制列表 (<xref linkend="fs-acl"/>) 和强制访问控制 (<acronym>MAC</acronym>)。<acronym>MAC</acronym>允许加载访问控制模块以实现安全策略。一些模块为系统的一个狭小的子集提供保护,加固了一个特定的服务。另一些模块则在所有主体和对象中提供全面的标签安全保护。定义中的强制部分表明,控制执行由管理员和操作系统来执行。这与默认的安全机制 Discretionary Access Control(<acronym>DAC</acronym>)形成了鲜明的对比,在这种情况下,控制执行由用户自行决定。
This chapter focuses on the <acronym>MAC</acronym> framework and the set of pluggable security policy modules FreeBSD provides for enabling various security mechanisms. 本章将集中讲述强制访问控制框架 (<acronym>MAC</acronym> 框架) 以及一套用以实施多种安全策略的插件式的安全策略模块。
The terminology associated with the <acronym>MAC</acronym> framework. 目前 FreeBSD 中具有哪些 <acronym>MAC</acronym> 安全策略模块, 以及与之相关的机制。
The capabilities of <acronym>MAC</acronym> security policy modules as well as the difference between a labeled and non-labeled policy. <acronym>MAC</acronym> 安全策略模块将实施何种策略, 以及标签式与非标签式策略之间的差异。
The considerations to take into account before configuring a system to use the <acronym>MAC</acronym> framework. 如何高效地配置系统令使其使用 <acronym>MAC</acronym> 框架。
Which <acronym>MAC</acronym> security policy modules are included in FreeBSD and how to configure them. 如何配置 <acronym>MAC</acronym> 框架所提供的不同的安全策略模块。
How to implement a more secure environment using the <acronym>MAC</acronym> framework. 如何用 <acronym>MAC</acronym> 框架构建更为安全的环境, 并举例说明。
How to test the <acronym>MAC</acronym> configuration to ensure the framework has been properly implemented. 如何测试 <acronym>MAC</acronym> 配置以确保正确构建了框架。
Have some familiarity with security and how it pertains to FreeBSD (<xref linkend="security"/>). 对安全及其如何与 FreeBSD 相配合有些了解; (<xref linkend="security"/>)。
Improper <acronym>MAC</acronym> configuration may cause loss of system access, aggravation of users, or inability to access the features provided by <application>Xorg</application>. More importantly, <acronym>MAC</acronym> should not be relied upon to completely secure a system. The <acronym>MAC</acronym> framework only augments an existing security policy. Without sound security practices and regular security checks, the system will never be completely secure. 错误的<acronym>MAC</acronym>配置可能导致丧失系统访问权,激怒用户,或者无法访问<application>Xorg</application>提供的特性。更重要的是, <acronym>MAC</acronym> 不能用于彻底保护一个系统。<acronym>MAC</acronym> 框架仅用于增强现有安全策略。如果没有健全的安全条例以及定期的安全检查,系统将永远不会绝对安全。
The examples contained within this chapter are for demonstration purposes and the example settings should <emphasis>not</emphasis> be implemented on a production system. Implementing any security policy takes a good deal of understanding, proper design, and thorough testing. 本章中包含的示例仅用于演示,这些示例设置不应在生产系统中实施。实施任何安全策略都需要大量的理解、正确的设计和彻底的测试。
While this chapter covers a broad range of security issues relating to the <acronym>MAC</acronym> framework, the development of new <acronym>MAC</acronym> security policy modules will not be covered. A number of security policy modules included with the <acronym>MAC</acronym> framework have specific characteristics which are provided for both testing and new module development. Refer to <citerefentry><refentrytitle>mac_test</refentrytitle><manvolnum>4</manvolnum></citerefentry>, <citerefentry><refentrytitle>mac_stub</refentrytitle><manvolnum>4</manvolnum></citerefentry> and <citerefentry><refentrytitle>mac_none</refentrytitle><manvolnum>4</manvolnum></citerefentry> for more information on these security policy modules and the various mechanisms they provide. 虽然本章涵盖了与<acronym>MAC</acronym>框架有关的广泛的安全问题,但没介绍如何开发新的新的<acronym>MAC</acronym>安全策略模块。<acronym>MAC</acronym>框架中包含的一些安全策略模块具有特定的特性,这些特性是为了测试和开发新模块。参考<citerefentry><refentrytitle>mac_test</refentrytitle><manvolnum>4</manvolnum></citerefentry>, <citerefentry><refentrytitle>mac_stub</refentrytitle><manvolnum>4</manvolnum></citerefentry> 和<citerefentry><refentrytitle>mac_none</refentrytitle><manvolnum>4</manvolnum></citerefentry>,以了解这些安全策略模块及其提供的各种机制的更多信息。
Key Terms 本章出现的重要术语
The following key terms are used when referring to the <acronym>MAC</acronym> framework: 简要介绍部分与 MAC 框架相关的术语:
<emphasis>compartment</emphasis>: a set of programs and data to be partitioned or separated, where users are given explicit access to specific component of a system. A compartment represents a grouping, such as a work group, department, project, or topic. Compartments make it possible to implement a need-to-know-basis security policy. <emphasis>区间</emphasis>(compartment): (译注: <emphasis>区间</emphasis> 这一术语, 在一些文献中也称做类别 (category)。 此外, 在其它一些翻译文献中, 该术语也翻译为 <quote>象限</quote>。) 指一组被划分或隔离的程序和数据, 其中, 用户被明确地赋予了访问特定系统组件的权限。 同时, 区间也能够表达分组, 例如工作组、 部门、 项目, 或话题。 可以通过使用区间来实施 need-to-know 安全策略。
<emphasis>integrity</emphasis>: the level of trust which can be placed on data. As the integrity of the data is elevated, so does the ability to trust that data. <emphasis>完整性</emphasis>(integrity): 作为一个关键概念, 完整性是数据可信性的一种程度。 若数据的完整性提高, 则数据的可信性相应提高。
<emphasis>level</emphasis>: the increased or decreased setting of a security attribute. As the level increases, its security is considered to elevate as well. <emphasis>程度</emphasis>(level): 对某种安全属性加强或削弱的设定。 若程度增加, 其安全性也相应增加。
<emphasis>label</emphasis>: a security attribute which can be applied to files, directories, or other items in the system. It could be considered a confidentiality stamp. When a label is placed on a file, it describes the security properties of that file and will only permit access by files, users, and resources with a similar security setting. The meaning and interpretation of label values depends on the policy configuration. Some policies treat a label as representing the integrity or secrecy of an object while other policies might use labels to hold rules for access. <emphasis>标签</emphasis>(label): 标签是一种可应用于文件、 目录或系统其他客体的安全属性, 它也可以被认为是一种机密性印鉴。 当一个文件被施以标签时, 其标签会描述这一文件的安全参数, 并只允许拥有相似安全性设置的文件、 用户、 资源等访问该文件。 标签值的涵义及解释取决于相应的策略配置: 某些策略会将标签当作对某一客体的完整性和保密性的表述, 而其它一些策略则会用标签保存访问规则。
<emphasis>multilabel</emphasis>: this property is a file system option which can be set in single-user mode using <citerefentry><refentrytitle>tunefs</refentrytitle><manvolnum>8</manvolnum></citerefentry>, during boot using <citerefentry><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>, or during the creation of a new file system. This option permits an administrator to apply different <acronym>MAC</acronym> labels on different objects. This option only applies to security policy modules which support labeling. <emphasis>多重标签</emphasis>(multilabel): <option>multilabel</option> 属性是一个文件系统选项。 该选项可在单用户模式下通过 <citerefentry><refentrytitle>tunefs</refentrytitle><manvolnum>8</manvolnum></citerefentry> 程序进行设置。 可以在引导时使用的 <citerefentry><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry> 文件中, 也可在创建新文件系统时进行配置。 该选项将允许管理员对不同客体施以不同的 <acronym>MAC</acronym> 标签。 该选项仅适用于支持标签的安全策略模块。
<emphasis>single label</emphasis>: a policy where the entire file system uses one label to enforce access control over the flow of data. Whenever <option>multilabel</option> is not set, all files will conform to the same label setting. <emphasis>单一标签</emphasis>(single label): 整个文件系统使用一个标签对数据流实施访问控制, 叫做单一标签。 当文件系统使用此设置时, 即无论何时当 <option>多重标签</option> 选项未被设定时, 所有文件都将遵守相同标签设定。
<emphasis>object</emphasis>: an entity through which information flows under the direction of a <emphasis>subject</emphasis>. This includes directories, files, fields, screens, keyboards, memory, magnetic storage, printers or any other data storage or moving device. An object is a data container or a system resource. Access to an object effectively means access to its data. <emphasis>客体</emphasis>(object): 客体或系统客体是一种实体, 信息随 <emphasis>主体</emphasis> 的导向在客体内部流动。 客体包括目录、 文件、 区段、 显示器、 键盘、 存储器、 磁存储器、 打印机及其它数据存储/转移设备。 基本上, 客体就是指数据容器或系统资源。 对 <emphasis>客体</emphasis> 的访问实际上意味着对数据的访问。
<emphasis>subject</emphasis>: any active entity that causes information to flow between <emphasis>objects</emphasis> such as a user, user process, or system process. On FreeBSD, this is almost always a thread acting in a process on behalf of a user. <emphasis>主体</emphasis>(subject): 主体就是引起信息在两个 <emphasis>客体</emphasis> 间流动的任意活动实体, 比如用户, 用户进程(译注:原文为 processor), 系统进程等。 在 FreeBSD 中, 主体几乎总是代表用户活跃在某一进程中的一个线程。
<emphasis>policy</emphasis>: a collection of rules which defines how objectives are to be achieved. A policy usually documents how certain items are to be handled. This chapter considers a policy to be a collection of rules which controls the flow of data and information and defines who has access to that data and information. <emphasis>策略</emphasis>(policy): 一套用以规定如何达成目标的规则。 策略 一般用以描述如何对特定客体进行操作。 本章将在安全策略的范畴内讨论策略, 一套用以控制数据和信息流并规定其访问者的规则,就是其中一例。
<emphasis>high-watermark</emphasis>: this type of policy permits the raising of security levels for the purpose of accessing higher level information. In most cases, the original level is restored after the process is complete. Currently, the FreeBSD <acronym>MAC</acronym> framework does not include this type of policy. <emphasis>高水位线</emphasis>(high water mark): 高水位线策略是一种允许提高安全级别, 以期访问更高级别的信息的安全策略。 在多数情况下, 当进程结束时, 又会回到原先的安全级别。 目前, FreeBSD <acronym>MAC</acronym> 框架尚未提供这样的策略, 在这里介绍其定义主要是希望给您一个完整的概念。
<emphasis>low-watermark</emphasis>: this type of policy permits lowering security levels for the purpose of accessing information which is less secure. In most cases, the original security level of the user is restored after the process is complete. The only security policy module in FreeBSD to use this is <citerefentry><refentrytitle>mac_lomac</refentrytitle><manvolnum>4</manvolnum></citerefentry>. <emphasis>低水位线</emphasis>(low water mark): 低水位线策略允许降低安全级别, 以访问安全性较差的信息。 多数情况下, 在进程结束时, 又会回到原先的安全级别。 目前在 FreeBSD 中唯一实现这一安全策略的是 <citerefentry><refentrytitle>mac_lomac</refentrytitle><manvolnum>4</manvolnum></citerefentry>。
<emphasis>sensitivity</emphasis>: usually used when discussing Multilevel Security (<acronym>MLS</acronym>). A sensitivity level describes how important or secret the data should be. As the sensitivity level increases, so does the importance of the secrecy, or confidentiality, of the data. <emphasis>敏感性</emphasis>(sensitivity): 通常在讨论 <acronym>MLS</acronym> 时使用。 敏感性程度曾被用来描述数据应该有何等的重要或机密。 若敏感性程度增加, 则保密的重要性或数据的机密性相应增强。
Understanding MAC Labels 理解 MAC 标签

Loading…

While this chapter covers a broad range of security issues relating to the <acronym>MAC</acronym> framework, the development of new <acronym>MAC</acronym> security policy modules will not be covered. A number of security policy modules included with the <acronym>MAC</acronym> framework have specific characteristics which are provided for both testing and new module development. Refer to <citerefentry><refentrytitle>mac_test</refentrytitle><manvolnum>4</manvolnum></citerefentry>, <citerefentry><refentrytitle>mac_stub</refentrytitle><manvolnum>4</manvolnum></citerefentry> and <citerefentry><refentrytitle>mac_none</refentrytitle><manvolnum>4</manvolnum></citerefentry> for more information on these security policy modules and the various mechanisms they provide.
虽然本章涵盖了与<acronym>MAC</acronym>框架有关的广泛的安全问题,但没介绍如何开发新的新的<acronym>MAC</acronym>安全策略模块。<acronym>MAC</acronym>框架中包含的一些安全策略模块具有特定的特性,这些特性是为了测试和开发新模块。参考<citerefentry><refentrytitle>mac_test</refentrytitle><manvolnum>4</manvolnum></citerefentry>, <citerefentry><refentrytitle>mac_stub</refentrytitle><manvolnum>4</manvolnum></manvolnum></citerefentry> 和<citerefentry><refentrytitle>mac_none</refentrytitle><manvolnum>4</manvolnum></manvolnum></citerefentry>,以了解这些安全策略模块及其提供的各种机制的更多信息。
8 months ago
While this chapter covers a broad range of security issues relating to the <acronym>MAC</acronym> framework, the development of new <acronym>MAC</acronym> security policy modules will not be covered. A number of security policy modules included with the <acronym>MAC</acronym> framework have specific characteristics which are provided for both testing and new module development. Refer to <citerefentry><refentrytitle>mac_test</refentrytitle><manvolnum>4</manvolnum></citerefentry>, <citerefentry><refentrytitle>mac_stub</refentrytitle><manvolnum>4</manvolnum></citerefentry> and <citerefentry><refentrytitle>mac_none</refentrytitle><manvolnum>4</manvolnum></citerefentry> for more information on these security policy modules and the various mechanisms they provide.
虽然本章涵盖了与<acronym>MAC</acronym>框架有关的广泛的安全问题,但没介绍如何开发新的新的<acronym>MAC</acronym>安全策略模块。<acronym>MAC</acronym>框架中包含的一些安全策略模块具有特定的特性,这些特性是为了测试和开发新模块。参考<citerefentry><refentrytitle>mac_test</refentrytitle><manvolnum>4</manvolnum></citerefentry>。<citerefentry><refentrytitle>mac_stub</refentrytitle><manvolnum>4</manvolnum></manvolnum></citerefentry>和<citerefentry><refentrytitle>mac_none</refentrytitle><manvolnum>4</manvolnum></manvolnum></citerefentry>,以了解这些安全策略模块及其提供的各种机制的更多信息。
8 months ago

Build error, needs editing.

8 months ago
While this chapter covers a broad range of security issues relating to the <acronym>MAC</acronym> framework, the development of new <acronym>MAC</acronym> security policy modules will not be covered. A number of security policy modules included with the <acronym>MAC</acronym> framework have specific characteristics which are provided for both testing and new module development. Refer to <citerefentry><refentrytitle>mac_test</refentrytitle><manvolnum>4</manvolnum></citerefentry>, <citerefentry><refentrytitle>mac_stub</refentrytitle><manvolnum>4</manvolnum></citerefentry> and <citerefentry><refentrytitle>mac_none</refentrytitle><manvolnum>4</manvolnum></citerefentry> for more information on these security policy modules and the various mechanisms they provide.
虽然本章涵盖了与<acronym>MAC</acronym>框架有关的广泛的安全问题,但没介绍如何开发新的新的<acronym>MAC</acronym>安全策略模块。<acronym>MAC</acronym>框架中包含的一些安全策略模块具有特定的特性,这些特性是为了测试和开发新模块。参考<citerefentry><refentrytitle>mac_test</refentrytitle><manvolnum>4</manvolnum></citerefentry>。<citerefentry><refentrytitle>mac_stub</refentrytitle><manvolnum>4</manvolnum></manvolnum></citerefentry>和<citerefentry><refentrytitle>mac_none</refentrytitle><manvolnum>4</manvolnum></manvolnum></citerefentry>,以了解这些安全策略模块及其提供的各种机制的更多信息。
9 months ago
Browse all component changes
User avatar dbaio

Translation comment

Build error, needs editing.

8 months ago

Glossary

English Chinese (Simplified) (zh_CN)
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect1/para
Source string location
book.translate.xml:31597
String age
a year ago
Source string age
a year ago
Translation file
books/zh_CN/handbook.po, string 5156