MCS
James Morris
jmorris at namei.org
Fri Sep 2 20:58:27 UTC 2005
On Fri, 2 Sep 2005, Stephen Smalley wrote:
> > 5. Is it the goal for MCS to make it fully implemented and an
> > installation/upgrade option for FC5?
>
> Fully implemented IIUC.
Yes, our hope is to make MCS the default for FC5, and for nobody to notice
it's even there unless they start using category labels.
It still needs some work.
> > 8. IIUC, "newrole -l" will be used to switch level & category on an MLS
> > system and "just" category on an MCS system. Is this correct?
>
> I would expect so, although possibly newrole could take an option just
> for category setting.
You should not need to change levels under MCS. In fact, a property of
MCS is that processes always run at the same level "s0" and the high range
clearance is only used for determining access to categories.
If this is not enforced by policy yet, it probably should be.
I'm planning on documenting MCS in more detail once we have a few more
issues sorted out and hopefully ready to enable in rawhide.
- James
--
James Morris
<jmorris at namei.org>
More information about the fedora-selinux-list
mailing list