43.4. Multi-Category Security (MCS)
Multi-Category Security (MCS) is an enhancement to SELinux, and allows users to label files with categories. These categories are used to further constrain Discretionary Access Control (DAC) and Type Enforcement (TE) logic. They may also be used when displaying or printing files. An example of a category is "Company_Confidential". Only users with access to this category can access files labeled with the category, assuming the existing DAC and TE rules also permit access.
The term categories refers to the same non-hierarchical categories used by Multi-Level Security (MLS). Under MLS, objects and subjects are labeled with Security Levels. These Security Levels consist of a hierarchical sensitivity value (such as "Top Secret") and zero or more non-hierarchical categories (such as "Crypto"). Categories provide compartments within sensitivity levels and enforce the need-to-know security principle. Refer to Section 43.6, “Multi-Level Security (MLS)” for more information about Multi-Level Security.
MCS is an adaptation of MLS. From a technical point of view, MCS is a policy change, combined with a few userland modifications to hide some of the unneeded MLS technology. Some kernel changes were also made, but only relating to making it easy to upgrade to MCS (or MLS) without invoking a full file system relabel.
The hope is to improve the quality of the system as a whole, reduce costs, leverage the open source process, increase transparency, and make the technology base useful to more than a small group of extremely special-case users.
Beyond access control, MCS could be used to display the MCS categories at the top and bottom of printed pages. This may also include a cover sheet to indicate document handling procedures. It should also be possible to integrate MCS with future developments in SELinux, such as Security Enhanced X. Integration with a directory server will also make MCS support for email easier. This could involve users manually labeling outgoing emails or by attaching suitably labeled files. The email client can then determine whether the recipients are known to be cleared to access the categories associated with the emails.
SELinux stores security contexts as an extended attribute of a file. The "security." namespace is used for security modules, and the security.selinux name is used to persistently store SELinux security labels on files. The contents of this attribute will vary depending on the file or directory you inspect and the policy the machine is enforcing.
This is expected to change in the 2.6.15 kernel (and already has in the latest -mm kernels), so that getxattr(2) always returns the kernel's canonicalized version of the label.
You can use the ls -Z command to view the category label of a file:
[root@myServer ~]# ls -Z gravityControl.txt -rw-r--r-- user user user_u:object_r:tmp_t:Moonbase_Plans gravityControl.txt
You can use the gefattr(1) command to view the internal category value (c10):
[root@myServer ~]# getfattr -n security.selinux gravityControl.txt # file: gravityControl.txt security.selinux="user_u:object_r:tmp_t:s0:c10\000"
Refer to Section 43.5, “Getting Started with Multi-Category Security (MCS)” for details on creating categories and assigning them to files.