红帽全球峰会6.6. Increasing file sensitivity levels in MLS
By default, Multi-Level Security (MLS) users cannot increase file sensitivity levels. However, the security administrator (secadm_r) can change this default behavior to allow users to increase the sensitivity of files by adding the local module mlsfilewrite to the system’s SELinux policy. Then, users assigned to the SELinux type defined in the policy module can increase file classification levels by modifying the file. Any time a user modifies a file, the file’s sensitivity level increases to the lower value of the user’s current security range.
The security administrator, when logged in as a user assigned to the secadm_r role, can change the security levels of files by using the chcon -l s0 /path/to/file command. For more information, see Changing file sensitivity in MLS.
Prerequisites
-
The SELinux policy is set to
mls. -
SELinux mode is set to
enforcing. -
The
policycoreutils-python-utilspackage is installed. -
The
mlsfilewritelocal module is installed in the SELinux MLS policy. You are logged in as a user in MLS which is:
-
Assigned to a defined security range. This example shows a user with a security range
s0-s2. -
Assigned to the same SELinux type defined in the
mlsfilewritemodule. This example requires the(typeattributeset mlsfilewrite (user_t))module.
-
Assigned to a defined security range. This example shows a user with a security range
Procedure
Optional: Display the security context of the current user:
$ id -Z user_u:user_r:user_t:s0-s2Change the lower level of the user’s MLS clearance range to the level which you want to assign to the file:
$ newrole -l s1-s2Optional: Display the security context of the current user:
$ id -Z user_u:user_r:user_t:s1-s2Optional: Display the security context of the file:
$ ls -Z /path/to/file user_u:object_r:user_home_t:s0 /path/to/fileChange the file’s sensitivity level to the lower level of the user’s clearance range by modifying the file:
$ touch /path/to/file重要The classification level reverts to the default value if the
restoreconcommand is used on the system.Optional: Exit the shell to return to the user’s previous security range:
$ exit
Verification
Display the security context of the file:
$ ls -Z /path/to/file user_u:object_r:user_home_t:s1 /path/to/file
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}