MultiCategorySecurity

From SELinux Wiki

Revision as of 14:18, 18 November 2009 by ChrisPeBenito (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

Mult-Category Security (MCS) is an optional addition in SELinux that allows users to add categories to files. The number of categories supported by the system is configured by policy; Fedora supports 1024, c0, c1,... c1022, c1023. Categories can optionally be translated (mapped) into more descriptive names, such as Engineering, Marketing, Payroll, and CompanyNDA. A file may have multiple categories. For example, if there was a technical report but it was under a non-disclosure agreement (NDA), the file might have the categores Engineering,CompanyNDA. The category names can be configured in the /etc/selinux/NAME/setrans.conf file.

s0:c0=Engineering
s0:c1=Marketing
s0:c2=Payroll
s0:c3=CompanyNDA
s0:c0,c3=Engineering_NDA

The s0 portion is required, as MCS is implemented using SELinux's Multi-Level Security (MLS) support.

The categories on a file can be changed by using the chcat command. For example, to add the CompanyNDA to a file:

chcat +CompanyNDA myfile.doc

Similarly, to remove the Engineering category:

chcat -- -Engineering myfile.doc

The -- is required to specify that the categories being removed are not options for chcat. To completely set the category set (replacing the existing categories):

chcat Marketing,CompanyNDA myfile.doc

Now that the file has the correct categories, programs should be run with categories.

runcon -l
Personal tools