Stephen Smalley wrote:
On Fri, 2005-09-02 at 10:40 -0400, Gene Czarcinski wrote:
While I am more interested in a MLS (Multiple Level System) capability with
selinux, MCS is pretty close since it is "simply" MLS (multi-levels,
multi-categories) with a single level and multi-categories.
I'll take a stab at answering, although I think that James or Dan will
have more precise answers for MCS.
MCS and MLS are actually rather different. IIUC, under MCS, clearance
determines current access rather than current level, and objects (files)
are only labeled with categories upon explicit request by the process
(e.g. the user runs chcon on the file to set a category on it). MCS
doesn't try to prevent "write down", so it doesn't try to address the
trojan horse problem. MCS is effectively a discretionary model to allow
users to mark their data with additional tags that further restrict
access. The only mandatory aspect is authorizing users for categories
by defining their clearance in policy. However, MCS and MLS exercise
the same code paths and share the same support infrastructure. They
just differ in their specific configuration.
However, I do have some questions --
1. Is most/all of the needed updates available for FC4 or should I plan to
use the FC5-development packages?
You'll need the development packages, and some of the MCS-related
packages are still only in Dan's own site at present for experimentation
AFAIK. See his posting to selinux list.
Yes that is correct. libsetrans and targeted policy with mcs are on my
people page, but everything else is in rawhide.
2. It appears that MCS is only available with targeted policy (not with the
strict policy). Are there plans to include it in strict at some future time?
MCS is based on targeted, as the goal IIUC is for it to replace targeted
as the default policy in Fedora. Porting MCS to strict likely wouldn't
be hard. Dan also posted links to a MLS (not MCS) policy based on
strict available from his site earlier to selinux list. Not clear if he
is still maintaining that, although there will ultimately be a MLS
policy separate from MCS.
We will turn it on in strict policy, also by default. Haven't yet
because I have been trying to get it to work in
targeted.
3. To me, a key capability to make either MLS or MCS practical is to
implement polyinstantiation of /tmp and /home/<userid> directories so that
different levels and/or categories with really have different directories.
Has this been implemented? How does it work?
Under development - see Janak's postings to selinux and redhat-lspp
lists. It is being done in userspace via per-process namespaces and
bind mounts. Currently also depends on a kernel patch that isn't
upstream yet for unshare(2).
4. How do I enable MCS given that I am now running selinux-targeted in
enforcing mode?
You need to update to rawhide, and then you can install the MCS packages
from Dan's site, I believe.
Yes. Although it is currently broken in that users/root are only
logging in as "s0" not "s0:c0.c127" or "s0:c0,c2,c17"
Comment: While I understand that Red Hat folks would want to make a system
upgrade to MCS NOT require a system relabel, I (personally) do not consider
it a big deal to require full relabeling to transition to either MCS or MLS.
But it is critical if they want to make MCS the default in FC5, so that
people can upgrade from FC4.
Yes we can not force a relabel.
5. Is it the goal for MCS to make it fully implemented and an
installation/upgrade option for FC5?
Fully implemented IIUC.
It will not be an option, it will be enabled in both targeted and strict
policy.
6. Any tips on using MCS?
Not yet, we are learning as we go. One rule we have now is categories
can not have spaces in the translation.
Things we are working on:
Infrastructure to allow different users to login with different
categories.
If I want to allow a web site to show "CompanyConfidential"
documents what do I need to do?
7. Is there anything the developers would especially like tested?
I'll leave these to Dan or James.
Just need people to play with it and figure out where it is broken.
8. IIUC, "newrole -l" will be used to switch level & category on an MLS
system and "just" category on an MCS system. Is this correct?
I would expect so, although possibly newrole could take an option just
for category setting.
We do not intend for people to use newrole in MCS.
9. IIUC, the implementation supports a large number of levels (currently 10
or s0-s9 but could be larger or smaller) and an even larger number of
categories (currently 128 or c0-c127 but could be larger or smaller). Is
this correct?
Yes. No fundamental limitations there.
10. While the current implementation has levels specified as s0-s9 and
categories as c0-c127, there needs to some way to relate these "internal"
specifications to something more meaningful to real people. For example, for
sensitivity levels specifying s0=unclassified, s1=confidential, s2=secret,
etc. In a similar manner, categories need something like c0=foo, c1=bar,
c2=CompanyPropin, etc. Has anything been done with this in mind? What are
the plans for this?
Yes, libselinux will now invoke an external translation library for
contexts if it is present on the system. Currently available from
Dan's site.
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list