Red Hat Summit6.5. Changing a user’s clearance level within the defined security range in MLS
As a user in Multi-Level Security (MLS), you can change your current clearance level within the range the administrator assigned to you. You can never exceed the upper limit of your range or reduce your level below the lower limit of your range. This allows you, for example, to modify lower-sensitivity files without increasing their sensitivity level to your highest clearance level.
For example, as a user assigned to range s1-s3:
-
You can switch to levels
s1,s2, ands3. -
You can switch to ranges
s1-s2, ands2-s3. -
You cannot switch to ranges
s0-s3ors1-s4.
Switching to a different level opens a new shell with the different clearance. This means you cannot return to your original clearance level in the same way as decreasing it. However, you can always return to the previous shell by entering exit.
Prerequisites
-
The SELinux policy is set to
mls. -
SELinux mode is set to
enforcing. - You can log in as a user assigned to a range of MLS clearance levels.
Procedure
Log in as the user from a secure terminal.
Secure terminals are defined in the
/etc/selinux/mls/contexts/securetty_typesfile. By default, the console is a secure terminal, but SSH is not.Check the current user’s security context:
$ id -Z user_u:user_r:user_t:s0-s2In this example, the user is assigned to the
user_uSELinux user,user_rrole,user_ttype, and the MLS security ranges0-s2.Check the current user’s security context:
$ id -Z user_u:user_r:user_t:s1-s2Switch to a different security clearance range within the user’s clearance range:
$ newrole -l s1You can switch to any range whose maximum is lower or equal to your assigned range. Entering a single-level range changes the lower limit of the assigned range. For example, entering
newrole -l s1as a user with as0-s2range is equivalent to enteringnewrole -l s1-s2.
Verification
Display the current user’s security context:
$ id -Z user_u:user_r:user_t:s1-s2Return to the previous shell with the original range by terminating the current shell:
$ exit
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}