Chapter 7. Using Multi-Category Security (MCS) for data confidentiality
You can use MCS to enhance the data confidentiality of your system by categorizing data, and then granting certain processes and users access to specific categories
7.1. Multi-Category Security (MCS)
Multi-Category Security (MCS) is an access control mechanism that uses categories assigned to processes and files. Files can then be accessed only by processes that are assigned to the same categories. The purpose of MCS is to maintain data confidentiality on your system.
MCS categories are defined by the values c0
to c1023
, but you can also define a text label for each category or combination of categories, such as “Personnel”, “ProjectX”, or “ProjectX.Personnel”. The MCS Translation service (mcstrans
) then replaces the category values with the appropriate labels in system inputs and outputs, so that users can use these labels instead of the category values.
When users are assigned to categories, they can label any of their files with any of the categories to which they have been assigned.
MCS works on a simple principle: to access a file, a user must be assigned to all of the categories that have been assigned to the file. The MCS check is applied after normal Linux Discretionary Access Control (DAC) and SELinux Type Enforcement (TE) rules, so it can only further restrict existing security configuration.
MCS within Multi-Level Security
You can use MCS on its own as a non-hierarchical system, or you can use it in combination with Multi-Level Security (MLS) as a non-hierarchical layer within a hierarchical system.
An example of MCS within MLS could be a secretive research organization, where files are classified like this:
Security level | Category | |||
Not specified | Project X | Project Y | Project Z | |
Unclassified |
|
|
|
|
Confidential |
|
|
|
|
Secret |
|
|
|
|
Top secret |
|
|
|
|
A user with a range s0:c0.1023
would be able to access all files assigned to all categories on level s0
, unless the access is prohibited by other security mechanisms, such as DAC or type enforcement policy rules.
The resulting security context of a file or process is a combination of:
- SELinux user
- SELinux role
- SELinux type
- MLS sensitivity level
- MCS category
For example, a non-privileged user with access to sensitivity level 1 and category 2 in an MLS/MCS environment could have the following SELinux context:
user_u:user_r:user_t:s1:c2
Additional resources
7.2. Configuring Multi-Category Security for data confidentiality
By default, Multi-Category Security (MCS) is active in the targeted
and mls
SELinux policies but is not configured for users. In the targeted
policy, MCS is configured only for:
- OpenShift
- virt
- sandbox
- network labeling
-
containers (
container-selinux
)
You can configure MCS to categorize users by creating a local SELinux module with a rule that constrains the user_t
SELinux type by MCS rules in addition to type enforcement.
Changing the categories of certain files may render some services non-operational. If you are not an expert, contact your Red Hat sales representative and request consulting services.
Prerequisites
-
SELinux mode is set to
enforcing
. -
The SELinux policy is set to
targeted
ormls
. -
The
policycoreutils-python-utils
andsetools-console
packages are installed.
Procedure
Create a new file named, for example,
local_mcs_user.cil
:# vim local_mcs_user.cil
Insert the following rule:
(typeattributeset mcs_constrained_type (user_t))
Install the policy module:
# semodule -i local_mcs_user.cil
Verification
For each user domain, display additional details for all the components:
# seinfo -xt user_t Types: 1 type user_t, application_domain_type, nsswitch_domain, corenet_unlabeled_type, domain, kernel_system_state_reader, mcs_constrained_type, netlabel_peer_type, privfd, process_user_target, scsi_generic_read, scsi_generic_write, syslog_client_type, pcmcia_typeattr_1, user_usertype, login_userdomain, userdomain, unpriv_userdomain, userdom_home_reader_type, userdom_filetrans_type, xdmhomewriter, x_userdomain, x_domain, dridomain, xdrawable_type, xcolormap_type;
Additional resources
- Creating a local SELinux policy module
- For more information about MCS in the context of containers, see the blog posts How SELinux separates containers using Multi-Level Security and Why you should be using Multi-Category Security for your Linux containers.
7.3. Defining category labels in MCS
You can manage and maintain labels for MCS categories, or combinations of MCS categories with MLS levels, on your system by editing the setrans.conf
file. In this file, SELinux maintains a mapping between internal sensitivity and category levels and their human-readable labels.
Category labels only make it easier for users to use the categories. MCS works the same whether you define labels or not.
Prerequisites
-
The SELinux mode is set to
enforcing
. -
The SELinux policy is set to
targeted
ormls
. -
The
policycoreutils-python-utils
andmcstrans
packages are installed.
Procedure
Modify existing categories or create new categories by editing the
/etc/selinux/<selinuxpolicy>/setrans.conf
file in a text editor. Replace <selinuxpolicy> withtargeted
ormls
depending on the SELinux policy you use. For example:# vi /etc/selinux/targeted/setrans.conf
In the
setrans.conf
file for your policy, define the combinations of categories required by your scenario using the syntaxs_<security level>_:c_<category number>_=<category.name>
, for example:s0:c0=Marketing s0:c1=Finance s0:c2=Payroll s0:c3=Personnel
-
You can use category numbers from
c0
toc1023
. -
In the
targeted
policy, use thes0
security level. -
In the
mls
policy, you can label each combination of sensitivity levels and categories.
-
You can use category numbers from
-
Optional: In the
setrans.conf
file, you can also label the MLS sensitivity levels. - Save and exit the file.
To make the changes effective, restart the MCS translation service:
# systemctl restart mcstrans
Verification
Display the current categories:
# chcat -L
The example above produces the following output:
s0:c0 Marketing s0:c1 Finance s0:c2 Payroll s0:c3 Personnel s0 s0-s0:c0.c1023 SystemLow-SystemHigh s0:c0.c1023 SystemHigh
Additional resources
-
The
setrans.conf(5)
man page.
7.4. Assigning categories to users in MCS
You can define user authorizations by assigning categories to Linux users. A user with assigned categories can access and modify files that have a subset of the user’s categories. Users can also assign files they own to categories they have been assigned to.
A Linux user cannot be assigned to a category that is outside of the security range defined for the relevant SELinux user.
Category access is assigned during login. Consequently, users do not have access to newly assigned categories until they log in again. Similarly, if you revoke a user’s access to a category, this is effective only after the user logs in again.
Prerequisites
-
The SELinux mode is set to
enforcing
. -
The SELinux policy is set to
targeted
ormls
. -
The
policycoreutils-python-utils
package is installed. Linux users are assigned to SELinux confined users:
-
Non-privileged users are assigned to
user_u
. -
Privileged users are assigned to
staff_u
.
-
Non-privileged users are assigned to
Procedure
Define the security range for the SELinux user.
# semanage user -m -rs0:c0,c1-s0:c0.c9 <user_u>
Use category numbers
c0
toc1023
or category labels as defined in thesetrans.conf
file. For additional information, see Defining category labels in MCS .Assign MCS categories to a Linux user. You can specify only a range within the range defined to the relevant SELinux user:
# semanage login -m -rs0:c1 <Linux.user1>
NoteYou can add or remove categories from Linux users by using the
chcat
command. The following example adds<category1>
and removes<category2>
from<Linux.user1>
and<Linux.user2>
:# chcat -l -- +<category1>,-<category2> <Linux.user1>,<Linux.user2>
You must specify
--
on the command line before using the-<category>
syntax. Otherwise, thechcat
command misinterprets the category removal as a command option.
Verification
List the categories assigned to Linux users:
# chcat -L -l <Linux.user1>,<Linux.user2> <Linux.user1>: <category1>,<category2> <Linux.user2>: <category1>,<category2>
Additional resources
-
chcat(8)
man page
7.5. Assigning categories to files in MCS
You need administrative privileges to assign categories to users. Users can then assign categories to files. To modify the categories of a file, users must have access rights to that file. Users can only assign a file to a category that is assigned to them.
The system combines category access rules with conventional file access permissions. For example, if a user with a category of bigfoot
uses Discretionary Access Control (DAC) to block access to a file by other users, other bigfoot
users cannot access that file. A user assigned to all available categories still may not be able to access the entire file system.
Prerequisites
-
The SELinux mode is set to
enforcing
. -
The SELinux policy is set to
targeted
ormls
. -
The
policycoreutils-python-utils
package is installed. Access and permissions to a Linux user that is:
- Assigned to an SELinux user.
- Assigned to the category to which you want to assign the file. For additional information, see Assigning categories to users in MCS .
- Access and permissions to the file you want to add to the category.
- For verification purposes: Access and permissions to a Linux user not assigned to this category
Procedure
Add categories to a file:
$ chcat -- +<category1>,+<category2> <path/to/file1>
Use category numbers
c0
toc1023
or category labels as defined in thesetrans.conf
file. For additional information, see Defining category labels in MCS .You can remove categories from a file by using the same syntax:
$ chcat -- -<category1>,-<category2> <path/to/file1>
NoteWhen removing a category, you must specify
--
on the command line before using the-<category>
syntax. Otherwise, thechcat
command misinterprets the category removal as a command option.
Verification
Display the security context of the file to verify that it has the correct categories:
$ ls -lZ <path/to/file> -rw-r--r-- <LinuxUser1> <Group1> root:object_r:user_home_t:_<sensitivity>_:_<category>_ <path/to/file>
The specific security context of the file may differ.
Optional: Attempt to access the file when logged in as a Linux user not assigned to the same category as the file:
$ cat <path/to/file> cat: <path/to/file>: Permission Denied
Additional resources
-
semanage(8)
andchcat(8)
man pages