SELinux Project contribution of mcstrans. mcstrans is a userland package specific to SELinux which allows system administrators to define sensitivity levels and categories and provides a daemon for their translation into human readable form. This version is a merge of Joe Nalls git tree (
http://github.com/joenall/mcstrans) and patches supplied by Dan Walsh and others at RedHat.
Manpages.
---
Makefile | 10 ++++
man8/mcs.8 | 30 ++++++++++++++
man8/mcstransd.8 | 25 ++++++++++++
man8/setrans.conf.8 | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 171 insertions(+)
diff --git a/policycoreutils/mcstrans/man/Makefile b/policycoreutils/mcstrans/man/Makefile
new file mode 100644
index 0000000..f07ec96
--- /dev/null
+++ b/policycoreutils/mcstrans/man/Makefile
@@ -0,0 +1,10 @@
+# Installation directories.
+MAN8DIR ?= $(DESTDIR)/usr/share/man/man8
+
+install:
+ mkdir -p $(MAN8DIR)
+ install -m 644 man8/*.8 $(MAN8DIR)
+
+clean:
+ -rm -f *~ \#*
+ -rm -f man8/*~ man8/\#*
diff --git a/policycoreutils/mcstrans/man/man8/mcs.8 b/policycoreutils/mcstrans/man/man8/mcs.8
new file mode 100644
index 0000000..6954e0c
--- /dev/null
+++ b/policycoreutils/mcstrans/man/man8/mcs.8
@@ -0,0 +1,30 @@
+.TH "mcs" "8" "8 Sep 2005" "
dwalsh@xxxxxxxxxx" "mcs documentation"
+
+.SH "NAME"
+mcs \- Multi-Category System
+
+.SH "DESCRIPTION"
+MCS (Multiple Category System) allows users to label files on their
+system within administrator defined categories. It then uses SELinux
+Mandatory Access Control to protect those files. MCS is a discretionary
+model to allow users to mark their data with additional tags that further
+restrict access. The only mandatory aspect is authorizing users for
+categories by defining their clearance in policy. However, MCS is similar
+to MLS and exercises the same code paths and share the same support
+infrastructure. They just differ in their specific configuration.
+
+
+The
+.I /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file translates the labels on disk to human
+readable form. Administrators can define any labels they want in this file.
+Certain applications like printing and auditing will use these labels to
+identify the files. By setting a category on a file you will prevent
+other applications/services from having access to the files.
+.p
+Examples of file lables would be PatientRecord, CompanyConfidential etc.
+
+.SH "SEE ALSO"
+selinux(8), chcon(1)
+
+.SH FILES
+/etc/selinux/{SELINUXTYPE}/setrans.conf
diff --git a/policycoreutils/mcstrans/man/man8/mcstransd.8 b/policycoreutils/mcstrans/man/man8/mcstransd.8
new file mode 100644
index 0000000..4c63965
--- /dev/null
+++ b/policycoreutils/mcstrans/man/man8/mcstransd.8
@@ -0,0 +1,25 @@
+.TH "mcstransd" "8" "16 Oct 2009" "
dwalsh@xxxxxxxxxx" "mcs documentation"
+.SH "NAME"
+mcstransd \- MCS (Multiple Category System) daemon. Translates SELinux MCS/MLS labels to human readable form.
+
+.SH "SYNOPSIS"
+.B mcstransd
+.P
+
+.SH "DESCRIPTION"
+This manual page describes the
+.BR mcstransd
+program.
+.P
+This daemon reads /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file, and communicates with libselinux via a socket in /var/run/setrans.
+
+.SH "AUTHOR"
+This man page was written by Dan Walsh <
dwalsh@xxxxxxxxxx>.
+The program was originally written by Dan Walsh <
dwalsh@xxxxxxxxxx>.
+The program was enhanced/rwwritten by Joe Nall <
joe@xxxxxxxx>.
+
+.SH "FILES"
+/etc/selinux/{SELINUXTYPE}/setrans.conf
+
+.SH "SEE ALSO"
+.BR mcs (8),
diff --git a/policycoreutils/mcstrans/man/man8/setrans.conf.8 b/policycoreutils/mcstrans/man/man8/setrans.conf.8
new file mode 100644
index 0000000..100913c
--- /dev/null
+++ b/policycoreutils/mcstrans/man/man8/setrans.conf.8
@@ -0,0 +1,106 @@
+.TH "setrans.conf" "8" "13 July 2010" "
txtoth@xxxxxxxxx" "setrans.conf documentation"
+.SH "NAME"
+setrans.conf \- translation configuration file for MCS/MLS SELinux systems
+
+.SH "DESCRIPTION"
+The
+.I /etc/selinux/{SELINUXTYPE}/setrans.conf
+configuration file specifies the way that SELinux MCS/MLS labels are translated into human
+readable form by the mcstransd daemon. The default policies support 16 sensitivity levels (s0 through s15) and 1024 categories (c0 through c1023). Multiple categories can be separated with commas (c0,c1,c3,c5) and a range of categories can be shortened using dot notation (c0.c3,c5).
+
+.SS "Keywords"
+
+.TP
+Base\fR
+once a base is declared subsequent sensitivity label definitions will have all modifiers applied to them during translation.
+Sensitivity labels defined before the base declaration are immediately cached and no modifiers will be applied these are used as direct translations.
+
+.TP
+Default\fR
+defines the category bit range that will be used for inverse bits.
+
+.TP
+Domain\fR
+creates a new domain with the supplied name.
+
+.TP
+Include\fR
+read and process the contents of the specified configuration file.
+
+.TP
+Join\fR
+defines a character used to separate members of a modifier group when more than one is specified (ex. USA/AUS).
+
+.TP
+ModifierGroup\fR
+a means of grouping category bit definitions by how they modify the sensitivity label.
+
+.TP
+Prefix\fR
+word(s) that may proceed member(s) of a modifier group (ex. REL USA).
+
+.TP
+Suffix\fR
+word(s) that may follow member(s) of a modifier group (ex. USA EYES ONLY).
+
+.TP
+Whitrespace\fR
+defines the set of acceptable white space characters that may be used in label being translated.
+
+.SS "Sensitivity Level Definition Examples"
+
+.TP
+s0=SystemLow\fR
+defines a translation of s0 (the lowest sensitivity level) with no categories to SystemLow.
+
+.TP
+s15:c0.c1023=SystemHigh\fR
+defines a translation of s15:c0.c1023 to SystemHigh. c0.c1023 is shorthand for all categories. A colon separates the sensitivity level and categories.
+
+.TP
+s0\-s15:c0.c1023=SystemLow\-SystemHigh\fR
+defines a range translation of of s0\-s15:c0.c1023 to SystemLow\-SystemHigh. The two range components are separated by a dash.
+
+.TP
+s0:c0=PatientRecord\fR
+defines a translation of sensitivity s0 with category c0 to PatientRecord.
+
+.TP
+s0:c1=Accounting\fR
+defines a translation of sensitivity s0 with category c1 to Accounting.
+
+.TP
+s2:c1,c2,c3=Confidential3Categories
+.TP
+s2:c1.c3=Confidential3Categories\fR
+both define a translation of sensitivity s2 with categories c1, c2 and c3 to Confidential3Categories.
+
+.TP
+s5=TopSecret\fR
+defines a translation of sensitivity s5 with no categories to TopSecret.
+
+.SS "Constraint Examples"
+
+.TP
+c0!c1
+if category bits 0 and 1 are both set the constraint will fail and the original context will be returned.
+
+.TP
+c5.c9>c1
+if category bits 5 through 9 are set bit 1 must also be set or the constraint will fail and the original context will be returned.
+
+.TP
+s1!c5,c9
+if categroy bits 5 and 9 are set and the sensitivity level is s1 the constraint will fail and the original context will be returned.
+
+.SH "AUTHOR"
+ Written by Joe Nall <
joe@xxxxxxxx>.
+ Updated by Ted X. Toth <
txtoth@xxxxxxxxx>.
+
+.SH "SEE ALSO"
+selinux(8), mcs(8), mls(8), chcon(1)
+
+.SH "FILES"
+/etc/selinux/{SELINUXTYPE}/setrans.conf
+.br
+/usr/share/mcstrans/examples
