Oracle Cloud Infrastructure Documentation

Extending SELinux Policies with Multi-Category Security

Explains how Multi-Category Security extends SELinux policies with category labels and walks through enabling and managing MCS for users and files.

Multi-Category Security (MCS) extends the SELinux targeted and Multi-Level Security (MLS) policies so you can assign category labels to processes and files. With MCS, files can be accessed only by processes or users that are assigned to the same categories that apply to the file. MCS is applied after all other security checks have been performed. Thus MCS is typically used to further restrict access. Category tags range from c0 to c1023, but you can define text labels for these category values to make them easier to work with. The mcstrans service can be used to translate between the category values and text labels when handling system inputs and outputs.

While MLS can be used to define different security levels or sensitivity for data, MCS can be used to group data for different purposes. For example, you might run the same service for several different projects on a system and data within each project that might have different levels of sensitivity. Users must only be granted access to data that meets their sensitivity clearance for a particular project. MCS enforces this restriction by associating a category tag with each project. The resulting security context of a file or process is a combination of SELinux user, SELinux role, SELinux type, MLS sensitivity level, and MCS category.

Matrix to illustrate data sensitivity and category application
Sensitivity Not specified Accountancy Marketing Development
Unclassified s0 s0:c0 s0:c1 s0:c2
Internal s1 s1:c0 s1:c1 s1:c2
Restricted s2 s2:c0 s2:c1 s2:c2
Highly Restricted s3 s3:c0 s3:c1 s3:c2

In the example table, a highly privileged user in the accountancy department (c0) with a requirement to access highly restricted data (s3) might use the following security context:

user_u:user_r:user_t:s3:c0

MCS Requirements

Before a system can be configured for MCS, check the following:

  • SELinux must be configured in enforcing mode.

  • SELinux must be configured to use either the targeted or mls policies.

  • The policycoreutils-python-utils package must be installed so you can use the chcat and semanage commands.

  • The setools-console package can be installed to use the seinfo command for verification.

  • SELinux confined user mappings are typical when using MCS. For example, nonprivileged users are assigned to user_u, while privileged users are assigned to staff_u. Define user mappings before configuring MCS to make the process easier. See Administering SELinux Users.

Enabling MCS for Users

MCS is active by default in SELinux, but isn't configured for users. To configure MCS for users, you must create a policy module that adds a rule to assign the mcs_constrained_type attribute to the user domain.

  1. Create a file that contains the rule.

    For example:

    echo '(typeattributeset mcs_constrained_type (user_t))' > local_mcs_user.cil
  2. Load the new policy module.

    Use the semodule command to load the new policy module:

    sudo semodule -i local_mcs_user.cil
  3. Verify the change.

    Use the seinfo command to check that the mcs_constrained_type is now applied to the user_t domain.

    seinfo -xt user_t|grep mcs_constrained_type

You can add the mcs_constrained_type attribute to any other SELinux domain in the same way.

Applying MCS Categories to a User

You can control a user's access to resources by applying MCS categories to the user. You can define category ranges that are available to each SELinux user and you can specify subranges for each Oracle Linux user account that's mapped to an SELinux user.

Note

See Administering SELinux Users for more information on the different SELinux users and how to manage mappings between these users and standard Oracle Linux users.

Defining the category ranges for an SELinux user

To specify the category ranges that are available to the SELinux user_u user, use the semanage command. For example:

sudo semanage user -m -rs0:c0,c1-s0:c0.c9 user_u

Use category numbers c0 to c1023, or category aliases if you're using the mcstrans service. In this example, the category range of c0 to c9 is assigned to the user_u user.

Specifying individual categories for an SELinux user

For each Oracle Linux user that's mapped to an SELinux user, for which you have defined a category range, you can specify the individual categories that apply. For example, to apply the c1 category to the oracle user you can run:

sudo semanage login -m -rs0:c1 oracle

The categories that you assign to users must be within the range that you defined for the mapped SELinux user.

Changing the categories that apply to an SELinux user

You can also use the chcat -l command to change which categories apply to a user. For example, you can add the c2 category to oracle and remove the c1 category: 

sudo chcat -l -- +c2,-c1 oracle

The command uses -- to indicate that the - character isn't to be interpreted as an option switch.

See the chcat(8) and semanage-user(8) manual pages for more information.

Applying MCS Categories to Files

Any user that has access rights to a file can apply an MCS category to the file if the category is assigned to that user. By applying a category to a file, a user can block access to that file for other users on the system that don't have the same category assigned to them. Note that as with all SELinux policies, standard Linux discretionary access controls are also in effect, so even if a user has category access to a file, the user might still be unable to access the file if the file permissions and mode prevent access for that user.

A user can set the categories that apply to a file if the categories that the user sets are also assigned to the user. File categories are set using the chcat command. For example, to add the c1 and c2 categories to a file, the user can run:

chcat -- +c1,+c2 /path/to/file

To remove the c1 category, the user can run:

chcat -- -c1 /path/to/file

The command uses -- to indicate that the - character isn't to be interpreted as an option switch. See the chcat(8) manual page for more information.

You can check which categories are assigned to a file by listing the file's security context:

ls -lZ /path/to/file

New files and directories, by default, inherit the SELinux type of their parent directories. You can check which categories are assigned to the parent directory of a file by running:

ls -dZ /path/to/file

Enabling the mcstrans Service

The mcstrans service automatically translates MCS category and MLS sensitivity values against a map of human-readable text labels that are defined as editable configuration entries.

If you're using a targeted policy, the configuration file is in /etc/selinux/targeted/setrans.conf. If you're using an mls policy, the configuration file is in /etc/selinux/mls/setrans.conf or as individual configuration files within /etc/selinux/mls/setrans.d.

The mcstrans service can make it easier for users to make sense of category and sensitivity values returned by the system for different SELinux outputs and to set appropriate values when defining security contexts. See the setrans.conf(8) and mcstransd(8) manual pages for more information.

To install and enable the mcstrans service, run: 

sudo dnf install -y mcstrans
sudo systemctl enable --now mcstrans

The systemctl enable --now combination enables the service at boot and starts it immediately.

If you update any of the setrans.conf files to create custom mappings, you must restart the mcstrans service:

sudo systemctl restart mcstrans

You can verify that translations are applied by running:

chcat -L

The command returns a list of the current mappings applied by the mcstrans service.