Introducing Multi-Category Security (MCS) SELinux policy in Rawhide

[Daniel J Walsh]

Tonights rawhide update for selinux-policy-targeted and selinux-policy-strict include MCS.

What is MCS?

Multi-category Security (MCS) is a discretionary labeling mechanism for 
SELinux.  It allows users to add meaningful security labels to their own 
files.  Only domains with access to these labels will then be able to 
access the files.  Examples of category labels are "Company Confidential", 
"Intranet Only" and "Patient Records".

MCS can only further restrict access to files, after Unix DAC rules and 
SELinux MAC Type Enforcement rules have been applied. MCS uses much of the 
Multi-level Security (MLS) technology present in SELinux, but is designed 
to be simpler and map more readily to general use.

The general idea is to provide end users with more control over the 
security of their own files and help make SELinux more user-oriented.  In 
the future, we expect to make use of category labels in areas such as 
labeled printing, where the category label is printed on each page.

A reboot is required to turn on the MLS/MCS field on policy.  The goal was to allow everything
to continue working without the reboot.  A relabel should not be necessary.

Dan


--