Difference between revisions of "MultiCategorySecurity"
(New page: Mult-Category Security (MCS) is an optional addition in SELinux that allows users to add categories to files. The number of categories supported by the system is configured by policy; Fed...) |
(No difference)
|
Revision as of 14:18, 18 November 2009
Mult-Category Security (MCS) is an optional addition in SELinux that allows users to add categories to files. The number of categories supported by the system is configured by policy; Fedora supports 1024, c0, c1,... c1022, c1023. Categories can optionally be translated (mapped) into more descriptive names, such as Engineering, Marketing, Payroll, and CompanyNDA. A file may have multiple categories. For example, if there was a technical report but it was under a non-disclosure agreement (NDA), the file might have the categores Engineering,CompanyNDA. The category names can be configured in the /etc/selinux/NAME/setrans.conf file.
s0:c0=Engineering s0:c1=Marketing s0:c2=Payroll s0:c3=CompanyNDA s0:c0,c3=Engineering_NDA
The s0 portion is required, as MCS is implemented using SELinux's Multi-Level Security (MLS) support.
The categories on a file can be changed by using the chcat command. For example, to add the CompanyNDA to a file:
chcat +CompanyNDA myfile.doc
Similarly, to remove the Engineering category:
chcat -- -Engineering myfile.doc
The -- is required to specify that the categories being removed are not options for chcat. To completely set the category set (replacing the existing categories):
chcat Marketing,CompanyNDA myfile.doc
Now that the file has the correct categories, programs should be run with categories.
runcon -l