On Wed, Mar 21, 2018 at 10:13:56PM +0100, Gionatan Danti wrote:
Il 21-03-2018 17:16 justina colmena ha scritto:
MLS and MCS were originally intended for top-secret (TS/SCI) government
work at the NSA.
The MLS (Multi-Level Security) corresponds to the levels "s0-s15".
These were supposed to represent various levels of government security
classification, e.g. FOUO, Confidential, Secret, Top Secret.
The MCS (Multi-Category Security) was intended for "Sensitive
Compartmented Information" or "SCI". (Not my department -- I don't need
to know -- that sort of thing.)
MLS and MCS are not enabled or enforced in the "targeted policy" which
is not intended for heavily targeted systems, but rather to target
scarce open-source SELinux policy development resources at the
hardest-hit and most vulnerable sub-systems.
There has not been much interest in developing open source MLS/MCS
policies for SELinux on end user systems. I'm glad to see someone is
tinkering with it.
But why it does work on CentOS6?
What can be done to let it work on CentOS7?
Thanks.
Back in CentOS 6 every type was considered an "MCS constrained" type by
default.
CentOS 7 changed that behaviour by adding some constraints that only
considered a type MCS constrained if it was associated with a given attribute
(see: https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/mcs#L73).
So now category/compartment dominance is only considered if you have an
association between your type and the MCS attribute.
You can see a list of these MCS constrained types by using seinfo:
$ seinfo -xamcs_constrained_type
Type Attributes: 1
attribute mcs_constrained_type;
container_t
netlabel_peer_t
openshift_app_t
{ ... }
If you want to create an association of your own, you can create a new policy
module like this:
$ echo '(typeattributeset mcs_constrained_type my_type)' > my_mcs_policy.cil
$ semodule -i my_mcs_policy.cil
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti@xxxxxxxxxx - info@xxxxxxxxxx
GPG public key ID: FF5F32A8
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
