1. Administering SELinux
  2. Extending SELinux Policies with Multi-Category Security
  3. Applying MCS Categories to Files

Applying MCS Categories to Files

Any user that has access rights to a file can apply an MCS category to the file if the category is assigned to that user. By applying a category to a file, a user can block access to that file for other users on the system that don't have the same category assigned to them. Note that as with all SELinux policies, standard Linux discretionary access controls are also in effect, so even if a user has category access to a file, the user may still be unable to access the file if the file permissions and mode prevent access for that user.

A user can set the categories that apply to a file if the categories that the user sets are also assigned to the user. File categories are set using the chcat command. For example, to add the c1 and c2 categories to a file, the user can run: 

chcat -- +c1,+c2 /path/to/file

To remove the c1 category, the user can run: 

chcat -- -c1 /path/to/file

The command uses -- to indicate that the - character isn't to be interpreted as an option switch. See the chcat(8) manual page for more information.

You can check which categories are assigned to a file by listing the file's security context:

ls -lZ /path/to/file

New files and directories, by default, inherit the SELinux type of their parent directories. You can check which categories are assigned to the parent directory of a file by running:

ls -dZ /path/to/file