[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Introducing Multi-Category Security (MCS) SELinux policy in Rawhide

Tonights rawhide update for selinux-policy-targeted and selinux-policy-strict include MCS.

What is MCS?

Multi-category Security (MCS) is a discretionary labeling mechanism for SELinux. It allows users to add meaningful security labels to their own files. Only domains with access to these labels will then be able to access the files. Examples of category labels are "Company Confidential", "Intranet Only" and "Patient Records".

MCS can only further restrict access to files, after Unix DAC rules and SELinux MAC Type Enforcement rules have been applied. MCS uses much of the Multi-level Security (MLS) technology present in SELinux, but is designed to be simpler and map more readily to general use.

The general idea is to provide end users with more control over the security of their own files and help make SELinux more user-oriented. In the future, we expect to make use of category labels in areas such as labeled printing, where the category label is printed on each page.

A reboot is required to turn on the MLS/MCS field on policy.  The goal was to allow everything
to continue working without the reboot.  A relabel should not be necessary.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]