Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 7. Using Multi-Category Security (MCS) for data confidentiality

You can use MCS to enhance the data confidentiality of your system by categorizing data, and then granting certain processes and users access to specific categories.

7.1. Multi-Category Security (MCS)
Copier lien

Use Multi-Category Security (MCS) to constrain access to subjects and objects based on category identifiers, such as project or departmental labels. MCS helps ensure effective separation and confidentiality between different domains.

Multi-Category Security (MCS) is an access control mechanism that uses categories assigned to processes and files. Files can then be accessed only by processes that are assigned to the same categories. The purpose of MCS is to maintain data confidentiality on your system.

MCS categories are defined by the values c0 to c1023, but you can also define a text label for each category or combination of categories, such as "Personnel", "ProjectX", or "ProjectX.Personnel". The MCS Translation service (mcstrans) then replaces the category values with the appropriate labels in system inputs and outputs, so that users can use these labels instead of the category values.

When users are assigned to categories, they can label any of their files with any of the categories to which they have been assigned.

MCS works on a simple principle: to access a file, a user must be assigned to all of the categories that have been assigned to the file. The MCS check is applied after normal Linux Discretionary Access Control (DAC) and SELinux Type Enforcement (TE) rules, so it can only further restrict existing security configuration.

7.1.1. MCS within Multi-Level Security (MLS)
Copier lien

You can use MCS on its own as a non-hierarchical system, or you can use it in combination with Multi-Level Security (MLS) as a non-hierarchical layer within a hierarchical system.

An example of MCS within MLS could be a secretive research organization, where files are classified as shown in the following table:

Expand
Table 7.1. Example of combinations of security levels and categories

Security level

Category

Not specified

Project X

Project Y

Project Z

Unclassified

s0

s0:c0

s0:c1

s0:c2

Confidential

s1

s1:c0

s1:c1

s1:c2

Secret

s2

s2:c0

s2:c1

s2:c2

Top secret

s3

s3:c0

s3:c1

s3:c2

Note

A user with a range s0:c0.1023 would be able to access all files assigned to all categories on level s0, unless the access is prohibited by other security mechanisms, such as DAC or type enforcement policy rules.

The resulting security context of a file or process is a combination of:

  • SELinux user
  • SELinux role
  • SELinux type
  • MLS sensitivity level
  • MCS category

For example, a non-privileged user with access to sensitivity level 1 and category 2 in an MLS/MCS environment could have the following SELinux context: 

user_u:user_r:user_t:s1:c2

Configure Multi-Category Security (MCS) for users to help ensure data confidentiality in targeted and MLS policies. This involves creating a local SELinux module that constrains the user domain by MCS rules.

By default, Multi-Category Security (MCS) is active in the targeted and mls SELinux policies but is not configured for users. In the targeted policy, MCS is configured only for:

  • OpenShift
  • virt
  • sandbox
  • network labeling
  • containers (container-selinux)

You can configure MCS to categorize users by creating a local SELinux module with a rule that constrains the user_t SELinux type by MCS rules in addition to type enforcement.

Warning

Changing the categories of certain files might render some services non-operational. If you are not an expert, contact your Red Hat sales representative and request consulting services.

Prerequisites

  • SELinux mode is set to `enforcing.
  • The SELinux policy is set to targeted or mls.
  • The policycoreutils-python-utils and setools-console packages are installed.

Procedure

  1. Create a new file named, for example, local_mcs_user.cil: 

    # touch local_mcs_user.cil

  2. In a text editor, insert the following rule: 

    (typeattributeset mcs_constrained_type (user_t))

  3. Install the policy module: 

    # semodule -i local_mcs_user.cil

Verification

  • For each user domain, display additional details for all the components: 

    # seinfo -xt user_t

Types: 1
type user_t, application_domain_type, nsswitch_domain, corenet_unlabeled_type, domain, kernel_system_state_reader, mcs_constrained_type, netlabel_peer_type, privfd, process_user_target, scsi_generic_read, scsi_generic_write, syslog_client_type, pcmcia_typeattr_1, user_usertype, login_userdomain, userdomain, unpriv_userdomain, userdom_home_reader_type, userdom_filetrans_type, xdmhomewriter, x_userdomain, x_domain, dridomain, xdrawable_type, xcolormap_type;

Next step

7.3. Defining category labels in MCS
Copier lien

Define human-readable labels for MCS categories or MLS level combinations by editing the setrans.conf file. Defining these labels makes it easier for users to manage and use categories, although MCS functionality remains the same regardless.

By editing setrans.conf, you can manage and maintain labels for MCS categories, or combinations of MCS categories with MLS levels. In this file, SELinux maintains a mapping between internal sensitivity and category levels and their human-readable labels. See the setrans.conf(5) man page on your system.

Note

Category labels only make it easier for users to use the categories. MCS works the same whether you define labels or not.

Prerequisites

  • The SELinux mode is set to enforcing.
  • The SELinux policy is set to targeted or mls.
  • The policycoreutils-python-utils and mcstrans packages are installed.

Procedure

  1. Modify existing categories or create new categories by editing the /etc/selinux/<selinux_policy>/setrans.conf file in a text editor. Replace <selinux_policy> with targeted or mls depending on the SELinux policy you use. For example: 

    # vi /etc/selinux/targeted/setrans.conf

  2. In the setrans.conf file for your policy, define the combinations of categories required by your scenario using the syntax s_<security_level>_:c_<category_number>_=<category_name>, for example: 

    s0:c0=Marketing
s0:c1=Finance
s0:c2=Payroll
s0:c3=Personnel
    • You can use category numbers from c0 to c1023.
    • In the targeted policy, use the s0 security level.
    • In the mls policy, you can label each combination of sensitivity levels and categories.
  3. Optional: In the setrans.conf file, you can also label the MLS sensitivity levels.
  4. Save and exit the file.

  5. To make the changes effective, restart the MCS translation service: 

    # systemctl restart mcstrans

Verification

  • Display the current categories: 

    # chcat -L

    The example above produces the following output: 

    s0:c0                          Marketing
s0:c1                          Finance
s0:c2                          Payroll
s0:c3                          Personnel
s0
s0-s0:c0.c1023                 SystemLow-SystemHigh
s0:c0.c1023                    SystemHigh

7.4. Assigning categories to users in MCS
Copier lien

You can define user authorizations by assigning categories to Linux users. A user with assigned categories can access and modify files that have a subset of the user’s categories. Users can also assign files they own to categories they have been assigned to.

A Linux user cannot be assigned to a category that is outside of the security range defined for the relevant SELinux user.

Note

Category access is assigned during login. Consequently, users do not have access to newly assigned categories until they log in again. Similarly, if you revoke a user’s access to a category, this is effective only after the user logs in again.

Prerequisites

  • The SELinux mode is set to enforcing.
  • The SELinux policy is set to targeted or mls.
  • The policycoreutils-python-utils package is installed.

  • Linux users are assigned to SELinux confined users:

    • Non-privileged users are assigned to user_u.
    • Privileged users are assigned to staff_u.

Procedure

  1. Define the security range for the SELinux user. 

    # semanage user -m -rs0:c0,c1-s0:c0.c9 <user_u>

    Use category numbers c0 to c1023 or category labels as defined in the setrans.conf file. For additional information, see Defining category labels in MCS .

  2. Assign MCS categories to a Linux user. You can specify only a range within the range defined to the relevant SELinux user: 

    # semanage login -m -rs0:c1 <Linux.user1>

    You can add or remove categories from Linux users by using the chcat command. The following example adds <category1> and removes <category2> from <Linux.user1> and <Linux.user2>: 

    # chcat -l -- +<category1>,-<category2> <Linux.user1>,<Linux.user2>

    You must specify -- on the command line before using the -<category> syntax. Otherwise, the chcat command misinterprets the category removal as a command option. See the chcat(8) man page on your system for more information.

Verification

  • List the categories assigned to Linux users: 

    # chcat -L -l <Linux.user1>,<Linux.user2>
<Linux.user1>: <category1>,<category2>
<Linux.user2>: <category1>,<category2>

7.5. Assigning categories to files in MCS
Copier lien

Assign Multi-Category Security (MCS) categories to files so that access is restricted only to users assigned to those specific categories. This helps enhance confidentiality by limiting data visibility across different organizational domains.

You need administrative privileges to assign categories to users. Users can then assign categories to files. To modify the categories of a file, users must have access rights to that file. Users can only assign a file to a category that is assigned to them.

Note

The system combines category access rules with conventional file access permissions. For example, if a user with a category of bigfoot uses Discretionary Access Control (DAC) to block access to a file by other users, other bigfoot users cannot access that file. A user assigned to all available categories still might not be able to access the entire file system.

Prerequisites

  • The SELinux mode is set to enforcing.
  • The SELinux policy is set to targeted or mls.
  • The policycoreutils-python-utils package is installed.

  • Access and permissions to a Linux user that is:

  • Access and permissions to the file you want to add to the category.
  • For verification purposes: Access and permissions to a Linux user not assigned to this category

Procedure

  • Add categories to a file: 

    $ chcat -- +<category1>,+<category2> <path/to/file1>

    Use category numbers c0 to c1023 or category labels as defined in the setrans.conf file. For additional information, see Defining category labels in MCS.

    You can remove categories from a file by using the same syntax: 

    $ chcat -- -<category1>,-<category2> <path/to/file1>
    Note

    When removing a category, you must specify -- on the command line before using the -<category> syntax. Otherwise, the chcat command misinterprets the category removal as a command option.

Verification

  1. Display the security context of the file to verify that it has the correct categories: 

    $ ls -lZ <path/to/file>
-rw-r--r--  <LinuxUser1> <Group1> root:object_r:user_home_t:_<sensitivity>_:_<category>_ <path/to/file>

    The specific security context of the file might differ.

  2. Optional: Attempt to access the file when logged in as a Linux user not assigned to the same category as the file: 

    $ cat <path/to/file>
cat: <path/to/file>: Permission Denied
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red HatRetour au début