1. Administering SELinux
  2. Extending SELinux Policies with Multi-Category Security
  3. Enabling MCS for Users

Enabling MCS for Users

MCS is active by default in SELinux, but isn't configured for users. To configure MCS for users, you must create a policy module that adds a rule to assign the mcs_constrained_type attribute to the user domain.

  1. Create a file that contains the rule, for example:
    echo '(typeattributeset mcs_constrained_type (user_t))' > local_mcs_user.cil

  2. Load the new policy module.

    sudo semodule -i local_mcs_user.cil

  3. Verify that the mcs_constrained_type is now applied to user_t domain. 

    seinfo -xt user_t|grep mcs_constrained_type

You can add the mcs_constrained_type attribute to any other SELinux domain in the same way.