selinux MCS

This is the second post regarding selinux arising from security discussions at our LUG.

Introduction

Selinux uses MAC, or mandatory access control, to grant or deny access to files or processes.

Multi-Category Security (MCS) is a method of giving users some flexibility within the selinux MAC framework.

James Morris gives a nice description here

In a nutshell, MCS is an enhancement to SELinux which allows users to label files with categories. These categories are used to further constrain DAC and TE logic.

An alternate, perhaps superior option to MCS would be ACL or access control lists.

See this link for a discussion of DAC vs MAC.

One last caution, some of the how-to’s on MCS seem outdated or incomplete and I managed to break selinux policy using chcat as root. I was only able to fix my system by re-installing selinux policy.

selinux context

Files have a selinux context displayed using the -Z option.

ls -Z

-rw-rw-r--. bodhi bodhi unconfined_u:object_r:user_home_t:s0 file

The first field is the selinux user. Users can be listed with semanage and by default users are mapped to unconfined_u. The second field is the role, the third field is the type of file.

In this blog, we are interested in the fourth field, s0. This field is used by the selinux MLS policy and is optional in targeted policy (the default for fedora). MLS policy is currently “experimental“. MLS would give up to 10 security levels, s0-s9.

MCS, however, is supported in targeted policy. The targeted policy uses a single MLS, s0, but allows up to 1024 “categories“, c0-c1023.

To use MCS, the system administrator would map users to a selinux user (such as user_u or staff_u) and assign the range of MCS categories the user can access. Users can then assign categories to files using the chcat command.

Using Multi-Category Security (MCS)

Configure categories

Note: this step is optional, you can use MCS categories by number, without defining them in setrans.conf . If you define them in setrans.conf you can then use a category by name.

As root, edit /etc/selinux/targeted/setrans.conf

sudo vim /etc/selinux/targeted/setrans.conf

Add categories at the bottom

s0:c1=secret

s0:c2=4youreyesonly

Save your changes and restart mcstrans

sudo systemctl restart mcstrans.service

List your categories. Note this command does not need to be run as root.

chcat -L
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
s0:c1 supersecret
s0:c2 4youreyesonly

Set ranges of categories for your user my mapping them with semanage


Note: The documentation and how-to’s are outdated (for Fedora 15). They advise running chcat as root. The chcat tool should be run by users, and not root.

semanage is used to assign (map) category access to users using the -r flag

sudo semanage login -m -s staff_u -r s0:c0.c100 bodhi

Selinux user access can be listed with semanage login -l and the above command changes the default

bodhi staff_u s0

to

bodhi staff_u s0:c0.c100

To change back to the defaults, again use semanage

semanage login -m -s staff_u -r s0 bodhi

After making changes your user(s) will need to log out and back in.

id

uid=500(bodhi) gid=500(bodhi) groups=10(wheel) context=staff_u:staff_r:staff_t:s0:c0.c100

Changes the MCS categories of files as a user using chcat

Set your categories on files by running chcat as a user.

By number –

chcat -- c3 file

ls -Z

-rw-rw-r--. bodhi bodhi unconfined_u:object_r:user_home_t:s0:c3 file

Remove the category

chcat -- -s0 file

ls -Z

-rw-rw-r--. bodhi bodhi unconfined_u:object_r:user_home_t:s0 file

By name –

Note: By name seems a bit buggy as mcstrans does not recall names after rebooting and so must be restated.

chcat -- supersecret file

ls -Z

-rw--r--. bodhi bodhi user_u:object_r:user_home_t:supersecret file

Remove the category

chcat -- SystemLow file

ls -Z

-rw-rw-r--. bodhi bodhi unconfined_u:object_r:user_home_t:SystemLow file

You can assign multiple categories

c0.c10 assigns categories c0 – c10 inclusive
c0,c2 assignes categories c0 and c2

chcat -- c0.10 file

chcat -- c0,c2 file

Quirks

The biggest “problem” with MCS I find is that once you assign categories to a user, all new files have all the categories.

Example:

touch file

ls -Z

-rw-r--r--. bodhi bodhi staff_u:object_r:__t:s0:c0.c256 file

It seems we need a “semask” that would set a default category for new files, similar to umask.

Reference :

Fedora selinux user guide
Multi Category Security
A Brief Introduction to Multi-Category Security (MCS)
Getting Started with Multi-Category Security (MCS)
Centos Getting Started with Multi-Category Security (MCS)

The only problem with those tutorials is that they are somewhat outdated =)

This entry was posted in Linux and tagged , , . Bookmark the permalink.

One Response to selinux MCS

  1. Leslie Satenstein says:

    I never had a clear understanding of SELINUX, until I read your article. It is very inspiring. The idea of adding to Selinux as you showed was the “foggy idea” remover

Leave a Reply

Your email address will not be published. Required fields are marked *