43.5. Getting Started with Multi-Category Security (MCS)
This section provides an introduction to using MCS labels to extend the Mandatory Access Control (MAC) capabilities of SELinux. It discusses MCS categories, SELinux user identities, and how they apply to Linux user accounts and files. It builds on the conceptual information provided in Section 43.4, “Multi-Category Security (MCS)”, and introduces some basic examples of usage.
MCS labeling from a user and system administrator standpoint is straightforward. It consists of configuring a set of categories, which are simply text labels, such as "Company_Confidential" or "Medical_Records", and then assigning users to those categories. The system administrator first configures the categories, then assigns users to them as required. The users can then use the labels as they see fit.
The names of the categories and their meanings are set by the system administrator, and can be set to whatever is required for the specific deployment. A system in a home environment may have only one category of "Private", and be configured so that only trusted local users are assigned to this category.
In a corporate environment, categories could be used to identify documents confidential to specific departments. Categories could be established for "Finance", "Payroll", "Marketing", and "Personnel". Only users assigned to those categories can access resources labeled with the same category.
After users have been assigned to categories, they can label any of their own files with any of the categories to which they have been assigned. For example, a home user in the system described above could label all of their personal files as "Private", and no service such as Apache or vsftp would ever be able to access those files, because they don't have access to the "Private" category.
MCS works on a simple principle: to access a file, a user needs to be assigned to all of the categories with which the file is labeled. The MCS check is applied after normal Linux Discretionary Access Control (DAC) and Type Enforcement (TE) rules, so it can only further restrict security.
SELinux maintains its own user identity for processes, separately from Linux user identities. In the targeted policy (the default for Red Hat Enterprise Linux), only a minimal number of SELinux user identities exist:
system_u — System processes
root — System administrator
user_u — All login users
Use the semanage user -l command to list SELinux users:
[root@dhcp-133 ~]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root user s0 s0-s0:c0.c1023 system_r sysadm_r user_r system_u user s0 s0-s0:c0.c1023 system_r user_u user s0 s0-s0:c0.c1023 system_r sysadm_r user_r
Refer to Section 43.8.3, “Understanding the Users and Roles in the Targeted Policy” for more information about SELinux users and roles.
One of the properties of targeted policy is that login users all run in the same security context. From a TE point of view, in targeted policy, they are security-equivalent. To effectivly use MCS, however, we need to be able to assign different sets of categories to different Linux users, even though they are all the same SELinux user (user_u). This is solved by introducing the concept of an SELinux login. This is used during the login process to assign MCS categories to Linux users when their shell is launched.
Use the semanage login -a command to assign Linux users to SELinux user identities:
# semanage login -a james # semanage login -a daniel # semanage login -a olga
Now when you list the SELinux users, you can see the Linux users assigned to a specific SELinux user identity:
# semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0 james user_u s0 daniel user_u s0 root root SystemLow-SystemHigh olga user_u s0
Notice that at this stage only the root account is assigned to any categories. By default, the root account is configured with access to all categories.
Red Hat Enterprise Linux and SELinux are preconfigured with several default categories, but to make effective use of MCS, the system administrator typically modifies these or creates further categories to suit local requirements.
SELinux maintains a mapping between internal sensitivity and category levels and their human-readable representations in the setrans.conf file. The system administrator edits this file to manage and maintain the required categories.
Use the chcat -L command to list the current categories:
[root@dhcp-133 tmp]# chcat -L s0:c0 CompanyConfidential s0:c3 TopSecret s0 s0-s0:c0.c255 SystemLow-SystemHigh s0:c0.c255 SystemHigh
To modify the categories or to start creating your own, modify the /etc/selinux/<selinuxtype>/setrans.conf file. For the example introduced above, add the Marketing, Finance, Payroll, and Personnel categories as follows (this example uses the targeted policy, and irrelevant sections of the file have been omitted):
[root@dhcp-133 tmp]# vi /etc/selinux/targeted/setrans.conf s0:c0=Marketing s0:c1=Finance s0:c2=Payroll s0:c3=Personnel
Use the chcat -L command to check the newly-added categories:
[root@dhcp-133 tmp]# chcat -L s0:c0 Marketing s0:c1 Finance s0:c2 Payroll s0:c3 Personnel s0 s0-s0:c0.c255 SystemLow-SystemHigh s0:c0.c255 SystemHigh
After you make any changes to the setrans.conf file, you need to restart the MCS translation service before those changes take effect. Use the following command to restart the service:
[root@dhcp-133 ~]# service mcstrans restart
Now that the required categories have been added to the system, you can start assigning them to SELinux users and files. To further develop the example above, assume that James is in the Marketing department, Daniel is in the Finance and Payroll departments, and Olga is in the Personnel department. Each of these users has already been assigned an SELinux login.
Use the chcat command to assign MCS categories to SELinux logins:
[root@dhcp-133 ~]# chcat -l -- +Marketing james [root@dhcp-133 ~]# chcat -l -- +Finance,+Payroll daniel [root@dhcp-133 ~]# chcat -l -- +Personnel olga
You can also use the chcat command with additional command-line arguments to list the categories that are assigned to users:
[root@dhcp-133 ~]# chcat -L -l daniel james olga daniel: Finance,Payroll james: Marketing olga: Personnel
You can add further Linux users, assign them to SELinux user identities and then assign categories to them as required. For example, if the company director also requires a user account with access to all categories, follow the same procedure as above:
# Create a user account for the company director (Karl) [root@dhcp-133 ~]# useradd karl [root@dhcp-133 ~]# passwd karl Changing password for user karl. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. # Assign the user account to an SELinux login [root@dhcp-133 ~]# semanage login -a karl # Assign all the MCS categories to the new login [root@dhcp-133 ~]# chcat -l -- +Marketing,+Finance,+Payroll,+Personnel karl
Use the chcat command to verify the addition of the new user:
[root@dhcp-133 ~]# chcat -L -l daniel james olga karl daniel: Finance,Payroll james: Marketing olga: Personnel karl: Marketing,Finance,Payroll,Personnel
MCS category access is assigned during login. Consequently, a user does not have access to newly-assigned categories until they log in again. Similarly, if access to a category is revoked, this is only apparent to the user after the next login.
At this point we have a system that has several user accounts, each of which is mapped to an SELinux user identity. We have also established a number of categories that are suitable for the particular deployment, and assigned those categories to different users.
All of the files on the system, however, still fall under the same category, and are therefore accessible by everyone (but still according to the standard Linux DAC and TE constraints). We now need to assign categories to the various files on the system so that only the appropriate users can access them.
For this example, we create a file in Daniel's home directory:
[daniel@dhcp-133 ~]$ echo "Financial Records 2006" > financeRecords.txt
Use the ls -Z command to check the initial security context of the file:
[daniel@dhcp-133 ~]$ ls -Z financeRecords.txt -rw-r--r-- daniel daniel user_u:object_r:user_home_t financeRecords.txt
Notice that at this stage the file has the default context for a file created in the user's home directory (user_home_t) and has no categories assigned to it. We can add the required category using the chcat command. Now when you check the security context of the file, you can see the category has been applied.
[daniel@dhcp-133 ~]$ chcat -- +Finance financeRecords.txt [daniel@dhcp-133 ~]$ ls -Z financeRecords.txt -rw-r--r-- daniel daniel root:object_r:user_home_t:Finance financeRecords.txt
In many cases, you need to assign more than one category to a file. For example, some files may need to be accessible to users from both the Finance and Payroll departments.
[daniel@dhcp-133 ~]$ chcat -- +Payroll financeRecords.txt [daniel@dhcp-133 ~]$ ls -Z financeRecords.txt -rw-r--r-- daniel daniel root:object_r:user_home_t:Finance,Payroll financeRecords.txt
Each of the categories that have been assigned to the file are displayed in the security context. You can add and delete categories to files as required. Only users assigned to those categories can access that file, assuming that Linux DAC and TE permissions would already allow the access.
If a user who is assigned to a different category tries to access the file, they receive an error message:
[olga@dhcp-133 ~]$ cat financeRecords.txt cat: financeRecords.txt: Permission Denied
Refer to the man pages for semanage and chcat for more information on the available options for these commands.