Show Table of Contents
49.5. Getting Started with Multi-Category Security (MCS)
This section provides an introduction to using MCS labels to extend the Mandatory Access Control (MAC) capabilities of SELinux. It discusses MCS categories, SELinux user identities, and how they apply to Linux user accounts and files. It builds on the conceptual information provided in Section 49.4, “Multi-Category Security (MCS)”, and introduces some basic examples of usage.
49.5.1. Introduction
MCS labeling from a user and system administrator standpoint is straightforward. It consists of configuring a set of categories, which are simply text labels, such as "Company_Confidential" or "Medical_Records", and then assigning users to those categories. The system administrator first configures the categories, then assigns users to them as required. The users can then use the labels as they see fit.
The names of the categories and their meanings are set by the system administrator, and can be set to whatever is required for the specific deployment. A system in a home environment may have only one category of "Private", and be configured so that only trusted local users are assigned to this category.
In a corporate environment, categories could be used to identify documents confidential to specific departments. Categories could be established for "Finance", "Payroll", "Marketing", and "Personnel". Only users assigned to those categories can access resources labeled with the same category.
After users have been assigned to categories, they can label any of their own files with any of the categories to which they have been assigned. For example, a home user in the system described above could label all of their personal files as "Private", and no service such as Apache or vsftp would ever be able to access those files, because they don't have access to the "Private" category.
MCS works on a simple principle: to access a file, a user needs to be assigned to all of the categories with which the file is labeled. The MCS check is applied after normal Linux Discretionary Access Control (DAC) and Type Enforcement (TE) rules, so it can only further restrict security.
49.5.2. Comparing SELinux and Standard Linux User Identities
SELinux maintains its own user identity for processes, separately from Linux user identities. In the targeted policy (the default for Red Hat Enterprise Linux), only a minimal number of SELinux user identities exist:
- system_u — System processes
- root — System administrator
- user_u — All login users
Use the
semanage user -l command to list SELinux users:
~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 s0-s0:c0.c1023 system_r sysadm_r user_r
system_u user s0 s0-s0:c0.c1023 system_r
user_u user s0 s0-s0:c0.c1023 system_r sysadm_r user_r
Refer to Section 49.8.3, “Understanding the Users and Roles in the Targeted Policy” for more information about SELinux users and roles.
SELinux Logins
One of the properties of targeted policy is that login users all run in the same security context. From a TE point of view, in targeted policy, they are security-equivalent. To effectively use MCS, however, we need to be able to assign different sets of categories to different Linux users, even though they are all the same SELinux user (user_u). This is solved by introducing the concept of an SELinux login. This is used during the login process to assign MCS categories to Linux users when their shell is launched.
Use the
semanage login -a command to assign Linux users to SELinux user identities:
~]#semanage login -a james~]#semanage login -a daniel~]#semanage login -a olga
Now when you list the SELinux users, you can see the Linux users assigned to a specific SELinux user identity:
~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
james user_u s0
daniel user_u s0
root root s0-s0:c0.c1023
olga user_u s0
Notice that at this stage only the root account is assigned to any categories. By default, the root account is configured with access to all categories.
Red Hat Enterprise Linux and SELinux are preconfigured with several default categories, but to make effective use of MCS, the system administrator typically modifies these or creates further categories to suit local requirements.
49.5.3. Configuring Categories
SELinux maintains a mapping between internal sensitivity and category levels and their human-readable representations in the
setrans.conf file. The system administrator edits this file to manage and maintain the required categories.
Use the
chcat -L command to list the current categories:
~]# chcat -L
s0
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
To modify the categories or to start creating your own, modify the
/etc/selinux/<selinuxtype>/setrans.conf file. For the example introduced above, add the Marketing, Finance, Payroll, and Personnel categories as follows (this example uses the targeted policy, and irrelevant sections of the file have been omitted):
~]# vi /etc/selinux/targeted/setrans.conf
s0:c0=Marketing
s0:c1=Finance
s0:c2=Payroll
s0:c3=Personnel
Use the
chcat -L command to check the newly-added categories:
~]# chcat -L
s0:c0 Marketing
s0:c1 Finance
s0:c2 Payroll
s0:c3 Personnel
s0
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHighNote
After you make any changes to the
setrans.conf file, you need to restart the MCS translation service before those changes take effect. Use the following command to restart the service:
~]# service mcstrans restart49.5.4. Assigning Categories to Users
Now that the required categories have been added to the system, you can start assigning them to SELinux users and files. To further develop the example above, assume that James is in the Marketing department, Daniel is in the Finance and Payroll departments, and Olga is in the Personnel department. Each of these users has already been assigned an SELinux login.
Use the
chcat command to assign MCS categories to SELinux logins:
~]#chcat -l -- +Marketing james~]#chcat -l -- +Finance,+Payroll daniel~]#chcat -l -- +Personnel olga
You can also use the
chcat command with additional command-line arguments to list the categories that are assigned to users:
~]# chcat -L -l daniel james olga
daniel: Finance,Payroll
james: Marketing
olga: Personnel
You can add further Linux users, assign them to SELinux user identities and then assign categories to them as required. For example, if the company director also requires a user account with access to all categories, follow the same procedure as above:
# Create a user account for the company director (Karl) ~]#useradd karl~]#passwd karlChanging password for user karl. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. # Assign the user account to an SELinux login ~]#semanage login -a karl# Assign all the MCS categories to the new login ~]#chcat -l -- +Marketing,+Finance,+Payroll,+Personnel karl
Use the
chcat command to verify the addition of the new user:
~]# chcat -L -l daniel james olga karl
daniel: Finance,Payroll
james: Marketing
olga: Personnel
karl: Marketing,Finance,Payroll,PersonnelNote
MCS category access is assigned during login. Consequently, a user does not have access to newly-assigned categories until they log in again. Similarly, if access to a category is revoked, this is only apparent to the user after the next login.
49.5.5. Assigning Categories to Files
At this point we have a system that has several user accounts, each of which is mapped to an SELinux user identity. We have also established a number of categories that are suitable for the particular deployment, and assigned those categories to different users.
All of the files on the system, however, still fall under the same category, and are therefore accessible by everyone (but still according to the standard Linux DAC and TE constraints). We now need to assign categories to the various files on the system so that only the appropriate users can access them.
For this example, we create a file in Daniel's home directory:
[daniel@dhcp-133 ~]$ echo "Financial Records 2006" > financeRecords.txt
Use the
ls -Z command to check the initial security context of the file:
[daniel@dhcp-133 ~]$ ls -Z financeRecords.txt
-rw-r--r-- daniel daniel user_u:object_r:user_home_t financeRecords.txt
Notice that at this stage the file has the default context for a file created in the user's home directory (
user_home_t) and has no categories assigned to it. We can add the required category using the chcat command. Now when you check the security context of the file, you can see the category has been applied.
[daniel@dhcp-133 ~]$chcat -- +Finance financeRecords.txt[daniel@dhcp-133 ~]$ls -Z financeRecords.txt-rw-r--r-- daniel daniel root:object_r:user_home_t:Finance financeRecords.txt
In many cases, you need to assign more than one category to a file. For example, some files may need to be accessible to users from both the Finance and Payroll departments.
[daniel@dhcp-133 ~]$chcat -- +Payroll financeRecords.txt[daniel@dhcp-133 ~]$ls -Z financeRecords.txt-rw-r--r-- daniel daniel root:object_r:user_home_t:Finance,Payroll financeRecords.txt
Each of the categories that have been assigned to the file are displayed in the security context. You can add and delete categories to files as required. Only users assigned to those categories can access that file, assuming that Linux DAC and TE permissions would already allow the access.
If a user who is assigned to a different category tries to access the file, they receive an error message:
[olga@dhcp-133 ~]$ cat financeRecords.txt
cat: financeRecords.txt: Permission DeniedNote
Refer to the man pages for
semanage and chcat for more information on the available options for these commands.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.