Stephen Smalley sds at
Fri Sep 2 16:20:23 UTC 2005

On Fri, 2005-09-02 at 10:40 -0400, Gene Czarcinski wrote: 
> While I am more interested in a MLS (Multiple Level System) capability with 
> selinux, MCS is pretty close since it is "simply" MLS (multi-levels, 
> multi-categories) with a single level and multi-categories.

I'll take a stab at answering, although I think that James or Dan will
have more precise answers for MCS.

MCS and MLS are actually rather different.  IIUC, under MCS, clearance
determines current access rather than current level, and objects (files)
are only labeled with categories upon explicit request by the process
(e.g. the user runs chcon on the file to set a category on it).  MCS
doesn't try to prevent "write down", so it doesn't try to address the
trojan horse problem.  MCS is effectively a discretionary model to allow
users to mark their data with additional tags that further restrict
access.  The only mandatory aspect is authorizing users for categories
by defining their clearance in policy.  However, MCS and MLS exercise
the same code paths and share the same support infrastructure.  They
just differ in their specific configuration.

> However, I do have some questions --
> 1.  Is most/all of the needed updates available for FC4 or should I plan to 
> use the FC5-development packages?

You'll need the development packages, and some of the MCS-related
packages are still only in Dan's own site at present for experimentation
AFAIK.  See his posting to selinux list.

> 2.  It appears that MCS is only available with targeted policy (not with the 
> strict policy).  Are there plans to include it in strict at some future time?

MCS is based on targeted, as the goal IIUC is for it to replace targeted
as the default policy in Fedora.  Porting MCS to strict likely wouldn't
be hard.  Dan also posted links to a MLS (not MCS) policy based on
strict available from his site earlier to selinux list.  Not clear if he
is still maintaining that, although there will ultimately be a MLS
policy separate from MCS.

> 3.  To me, a key capability to make either MLS or MCS practical is to 
> implement polyinstantiation of /tmp and /home/<userid> directories so that 
> different levels and/or categories with really have different directories.  
> Has this been implemented?  How does it work?

Under development - see Janak's postings to selinux and redhat-lspp
lists.  It is being done in userspace via per-process namespaces and
bind mounts.  Currently also depends on a kernel patch that isn't
upstream yet for unshare(2). 

> 4.  How do I enable MCS given that I am now running selinux-targeted in 
> enforcing mode?

You need to update to rawhide, and then you can install the MCS packages
from Dan's site, I believe. 

> Comment:  While I understand that Red Hat folks would want to make a system 
> upgrade to MCS NOT require a system relabel,  I (personally) do not consider 
> it a big deal to require full relabeling to transition to either MCS or MLS.

But it is critical if they want to make MCS the default in FC5, so that
people can upgrade from FC4. 

> 5.  Is it the goal for MCS to make it fully implemented and an 
> installation/upgrade option for FC5?

Fully implemented IIUC. 

> 6.  Any tips on using MCS?
> 7.  Is there anything the developers would especially like tested?

I'll leave these to Dan or James.

> 8.  IIUC, "newrole -l" will be used to switch level & category on an MLS 
> system and "just" category on an MCS system.  Is this correct?

I would expect so, although possibly newrole could take an option just
for category setting.

> 9.  IIUC, the implementation supports a large number of levels (currently 10 
> or s0-s9 but could be larger or smaller) and an even larger number of 
> categories (currently 128 or c0-c127 but could be larger or smaller).  Is 
> this correct?

Yes.  No fundamental limitations there.

> 10.  While the current implementation has levels specified as s0-s9 and 
> categories as c0-c127, there needs to some way to relate these "internal" 
> specifications to something more meaningful to real people.  For example, for 
> sensitivity levels specifying s0=unclassified, s1=confidential, s2=secret, 
> etc.  In a similar manner, categories need something like c0=foo, c1=bar, 
> c2=CompanyPropin, etc.  Has anything been done with this in mind?  What are 
> the plans for this?

Yes, libselinux will now invoke an external translation library for
contexts if it is present on the system.   Currently available from
Dan's site.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list