From SELinux Wiki
Revision as of 14:18, 18 November 2009 by ChrisPeBenito (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Mult-Category Security (MCS) is an optional addition in SELinux that allows users to add categories to files. The number of categories supported by the system is configured by policy; Fedora supports 1024, c0, c1,... c1022, c1023. Categories can optionally be translated (mapped) into more descriptive names, such as Engineering, Marketing, Payroll, and CompanyNDA. A file may have multiple categories. For example, if there was a technical report but it was under a non-disclosure agreement (NDA), the file might have the categores Engineering,CompanyNDA. The category names can be configured in the /etc/selinux/NAME/setrans.conf file.


The s0 portion is required, as MCS is implemented using SELinux's Multi-Level Security (MLS) support.

The categories on a file can be changed by using the chcat command. For example, to add the CompanyNDA to a file:

chcat +CompanyNDA myfile.doc

Similarly, to remove the Engineering category:

chcat -- -Engineering myfile.doc

The -- is required to specify that the categories being removed are not options for chcat. To completely set the category set (replacing the existing categories):

chcat Marketing,CompanyNDA myfile.doc

Now that the file has the correct categories, programs should be run with categories.

runcon -l