Multi-level security

Stephen Smalley sds at
Thu May 26 12:45:43 UTC 2005

On Thu, 2005-05-26 at 09:41 +0300, George J. Jahchan wrote:
> Is there a way in SE Linux to set security levels to sources / targets and deny
> access from a source to any target whose security level is higher than that of
> the source?

Yes, but the MLS support wasn't enabled in FC3.  It is included in the
FC4 kernels, but is only enabled if you build a MLS-enabled policy (by
default, MLS is disabled in the policy).  Dan Walsh has an experimental
MLS policy package that he is presently maintaining on his site (see the
selinux-policy-mls* packages under that should be available
in the FC5 development tree when it opens (after FC4 is released).

Alternatively, you can emulate MLS in SELinux via TE rules, by defining
domains and types that correspond to the desired MLS levels and
explicitly defining how they may interact via TE allow rules in a manner
that is consistent with MLS restrictions.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list