Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 7. Using Multi-Category Security (MCS) for data confidentiality

You can use MCS to enhance the data confidentiality of your system by categorizing data, and then granting certain processes and users access to specific categories

7.1. Multi-Category Security (MCS)

Multi-Category Security (MCS) is an access control mechanism that uses categories assigned to processes and files. Files can then be accessed only by processes that are assigned to the same categories. The purpose of MCS is to maintain data confidentiality on your system.

MCS categories are defined by the values c0 to c1023, but you can also define a text label for each category or combination of categories, such as “Personnel”, “ProjectX”, or “ProjectX.Personnel”. The MCS Translation service (mcstrans) then replaces the category values with the appropriate labels in system inputs and outputs, so that users can use these labels instead of the category values.

When users are assigned to categories, they can label any of their files with any of the categories to which they have been assigned.

MCS works on a simple principle: to access a file, a user must be assigned to all of the categories that have been assigned to the file. The MCS check is applied after normal Linux Discretionary Access Control (DAC) and SELinux Type Enforcement (TE) rules, so it can only further restrict existing security configuration.

MCS within Multi-Level Security

You can use MCS on its own as a non-hierarchical system, or you can use it in combination with Multi-Level Security (MLS) as a non-hierarchical layer within a hierarchical system.

An example of MCS within MLS could be a secretive research organization, where files are classified like this:

Table 7.1. Example of combinations of security levels and categories

Security level

Category

Not specified

Project X

Project Y

Project Z

Unclassified

s0

s0:c0

s0:c1

s0:c2

Confidential

s1

s1:c0

s1:c1

s1:c2

Secret

s2

s2:c0

s2:c1

s2:c2

Top secret

s3

s3:c0

s3:c1

s3:c2

Note

A user with a range s0:c0.1023 would be able to access all files assigned to all categories on level s0, unless the access is prohibited by other security mechanisms, such as DAC or type enforcement policy rules.

The resulting security context of a file or process is a combination of:

  • SELinux user
  • SELinux role
  • SELinux type
  • MLS sensitivity level
  • MCS category

For example, a non-privileged user with access to sensitivity level 1 and category 2 in an MLS/MCS environment could have the following SELinux context:

user_u:user_r:user_t:s1:c2

Additional resources

7.2. Configuring Multi-Category Security for data confidentiality

By default, Multi-Category Security (MCS) is active in the targeted and mls SELinux policies but is not configured for users. In the targeted policy, MCS is configured only for:

  • OpenShift
  • virt
  • sandbox
  • network labeling
  • containers (container-selinux)

You can configure MCS to categorize users by creating a local SELinux module with a rule that constrains the user_t SELinux type by MCS rules in addition to type enforcement.

Warning

Changing the categories of certain files may render some services non-operational. If you are not an expert, contact your Red Hat sales representative and request consulting services.

Prerequisites

  • The SELinux mode is set to enforcing.
  • The SELinux policy is set to targeted or mls.
  • The policycoreutils-python-utils and setools-console packages are installed.

Procedure

  1. Create a new file named, for example, local_mcs_user.cil:

    # vim local_mcs_user.cil
  2. Insert the following rule:

    (typeattributeset mcs_constrained_type (user_t))
  3. Install the policy module:

    # semodule -i local_mcs_user.cil

Verification

  • For each user domain, display additional details for all the components:

    # seinfo -xt user_t
    
    Types: 1
    type user_t, application_domain_type, nsswitch_domain, corenet_unlabeled_type, domain, kernel_system_state_reader, mcs_constrained_type, netlabel_peer_type, privfd, process_user_target, scsi_generic_read, scsi_generic_write, syslog_client_type, pcmcia_typeattr_1, user_usertype, login_userdomain, userdomain, unpriv_userdomain, userdom_home_reader_type, userdom_filetrans_type, xdmhomewriter, x_userdomain, x_domain, dridomain, xdrawable_type, xcolormap_type;

7.3. Defining category labels in MCS

You can manage and maintain labels for MCS categories, or combinations of MCS categories with MLS levels, on your system by editing the setrans.conf file. In this file, SELinux maintains a mapping between internal sensitivity and category levels and their human-readable labels.

Note

Category labels only make it easier for users to use the categories. MCS works the same whether you define labels or not.

Prerequisites

  • The SELinux mode is set to enforcing.
  • The SELinux policy is set to targeted or mls.
  • The policycoreutils-python-utils and mcstrans packages are installed.

Procedure

  1. Modify existing categories or create new categories by editing the /etc/selinux/<selinuxpolicy>/setrans.conf file in a text editor. Replace <selinuxpolicy> with targeted or mls depending on the SELinux policy you use. For example:

    # vi /etc/selinux/targeted/setrans.conf
  2. In the setrans.conf file for your policy, define the combinations of categories required by your scenario using the syntax s_<security level>_:c_<category number>_=<category.name>, for example:

    s0:c0=Marketing
    s0:c1=Finance
    s0:c2=Payroll
    s0:c3=Personnel
    • You can use category numbers from c0 to c1023.
    • In the targeted policy, use the s0 security level.
    • In the mls policy, you can label each combination of sensitivity levels and categories.
  3. Optional: In the setrans.conf file, you can also label the MLS sensitivity levels.
  4. Save and exit the file.
  5. To make the changes effective, restart the MCS translation service:

    # systemctl restart mcstrans

Verification

  • Display the current categories:

    # chcat -L

    The example above produces the following output:

    s0:c0                          Marketing
    s0:c1                          Finance
    s0:c2                          Payroll
    s0:c3                          Personnel
    s0
    s0-s0:c0.c1023                 SystemLow-SystemHigh
    s0:c0.c1023                    SystemHigh

Additional resources

  • The setrans.conf(5) man page.

7.4. Assigning categories to users in MCS

You can define user authorizations by assigning categories to Linux users. A user with assigned categories can access and modify files that have a subset of the user’s categories. Users can also assign files they own to categories they have been assigned to.

A Linux user cannot be assigned to a category that is outside of the security range defined for the relevant SELinux user.

Note

Category access is assigned during login. Consequently, users do not have access to newly assigned categories until they log in again. Similarly, if you revoke a user’s access to a category, this is effective only after the user logs in again.

Prerequisites

  • The SELinux mode is set to enforcing.
  • The SELinux policy is set to targeted or mls.
  • The policycoreutils-python-utils package is installed.
  • Linux users are assigned to SELinux confined users:

    • Non-privileged users are assigned to user_u.
    • Privileged users are assigned to staff_u.

Procedure

  1. Define the security range for the SELinux user.

    # semanage user -m -rs0:c0,c1-s0:c0.c9 <user_u>

    Use category numbers c0 to c1023 or category labels as defined in the setrans.conf file. For additional information, see Defining category labels in MCS .

  2. Assign MCS categories to a Linux user. You can specify only a range within the range defined to the relevant SELinux user:

    # semanage login -m -rs0:c1 <Linux.user1>
    Note

    You can add or remove categories from Linux users by using the chcat command. The following example adds <category1> and removes <category2> from <Linux.user1> and <Linux.user2>:

    # chcat -l -- +<category1>,-<category2> <Linux.user1>,<Linux.user2>

    You must specify -- on the command line before using the -<category> syntax. Otherwise, the chcat command misinterprets the category removal as a command option.

Verification

  • List the categories assigned to Linux users:

    # chcat -L -l <Linux.user1>,<Linux.user2>
    <Linux.user1>: <category1>,<category2>
    <Linux.user2>: <category1>,<category2>

Additional resources

  • chcat(8) man page

7.5. Assigning categories to files in MCS

You need administrative privileges to assign categories to users. Users can then assign categories to files. To modify the categories of a file, users must have access rights to that file. Users can only assign a file to a category that is assigned to them.

Note

The system combines category access rules with conventional file access permissions. For example, if a user with a category of bigfoot uses Discretionary Access Control (DAC) to block access to a file by other users, other bigfoot users cannot access that file. A user assigned to all available categories still may not be able to access the entire file system.

Prerequisites

  • The SELinux mode is set to enforcing.
  • The SELinux policy is set to targeted or mls.
  • The policycoreutils-python-utils package is installed.
  • Access and permissions to a Linux user that is:

  • Access and permissions to the file you want to add to the category.
  • For verification purposes: Access and permissions to a Linux user not assigned to this category

Procedure

  • Add categories to a file:

    $ chcat -- +<category1>,+<category2> <path/to/file1>

    Use category numbers c0 to c1023 or category labels as defined in the setrans.conf file. For additional information, see Defining category labels in MCS .

    You can remove categories from a file by using the same syntax:

    $ chcat -- -<category1>,-<category2> <path/to/file1>
    Note

    When removing a category, you must specify -- on the command line before using the -<category> syntax. Otherwise, the chcat command misinterprets the category removal as a command option.

Verification

  1. Display the security context of the file to verify that it has the correct categories:

    $ ls -lZ <path/to/file>
    -rw-r--r--  <LinuxUser1> <Group1> root:object_r:user_home_t:_<sensitivity>_:_<category>_ <path/to/file>

    The specific security context of the file may differ.

  2. Optional: Attempt to access the file when logged in as a Linux user not assigned to the same category as the file:

    $ cat <path/to/file>
    cat: <path/to/file>: Permission Denied

Additional resources

  • semanage(8) and chcat(8) man pages