I have been reviewing/following the MCS discussions on this mailing list, the LSPP mailing list, and the NSA selinux mailing list and it appears (to me) that MCS (Multiple Category System) capability may be sufficiently implemented to do some testing.
While I am more interested in a MLS (Multiple Level System) capability with selinux, MCS is pretty close since it is "simply" MLS (multi-levels, multi-categories) with a single level and multi-categories.
However, I do have some questions --
1. Is most/all of the needed updates available for FC4 or should I plan to use the FC5-development packages?
2. It appears that MCS is only available with targeted policy (not with the strict policy). Are there plans to include it in strict at some future time?
3. To me, a key capability to make either MLS or MCS practical is to implement polyinstantiation of /tmp and /home/<userid> directories so that different levels and/or categories with really have different directories. Has this been implemented? How does it work?
4. How do I enable MCS given that I am now running selinux-targeted in enforcing mode?
Comment: While I understand that Red Hat folks would want to make a system upgrade to MCS NOT require a system relabel, I (personally) do not consider it a big deal to require full relabeling to transition to either MCS or MLS.
5. Is it the goal for MCS to make it fully implemented and an installation/upgrade option for FC5?
6. Any tips on using MCS?
7. Is there anything the developers would especially like tested?
8. IIUC, "newrole -l" will be used to switch level & category on an MLS system and "just" category on an MCS system. Is this correct?
9. IIUC, the implementation supports a large number of levels (currently 10 or s0-s9 but could be larger or smaller) and an even larger number of categories (currently 128 or c0-c127 but could be larger or smaller). Is this correct?
10. While the current implementation has levels specified as s0-s9 and categories as c0-c127, there needs to some way to relate these "internal" specifications to something more meaningful to real people. For example, for sensitivity levels specifying s0=unclassified, s1=confidential, s2=secret, etc. In a similar manner, categories need something like c0=foo, c1=bar, c2=CompanyPropin, etc. Has anything been done with this in mind? What are the plans for this?
Comment: It sure would be nice to be able to do:
newrole -l unclassified:CompanyPropin
Any comments/info appreciated.
Gene
On Fri, 2005-09-02 at 10:40 -0400, Gene Czarcinski wrote:
While I am more interested in a MLS (Multiple Level System) capability with selinux, MCS is pretty close since it is "simply" MLS (multi-levels, multi-categories) with a single level and multi-categories.
I'll take a stab at answering, although I think that James or Dan will have more precise answers for MCS.
MCS and MLS are actually rather different. IIUC, under MCS, clearance determines current access rather than current level, and objects (files) are only labeled with categories upon explicit request by the process (e.g. the user runs chcon on the file to set a category on it). MCS doesn't try to prevent "write down", so it doesn't try to address the trojan horse problem. MCS is effectively a discretionary model to allow users to mark their data with additional tags that further restrict access. The only mandatory aspect is authorizing users for categories by defining their clearance in policy. However, MCS and MLS exercise the same code paths and share the same support infrastructure. They just differ in their specific configuration.
However, I do have some questions --
- Is most/all of the needed updates available for FC4 or should I plan to
use the FC5-development packages?
You'll need the development packages, and some of the MCS-related packages are still only in Dan's own site at present for experimentation AFAIK. See his posting to selinux list.
- It appears that MCS is only available with targeted policy (not with the
strict policy). Are there plans to include it in strict at some future time?
MCS is based on targeted, as the goal IIUC is for it to replace targeted as the default policy in Fedora. Porting MCS to strict likely wouldn't be hard. Dan also posted links to a MLS (not MCS) policy based on strict available from his site earlier to selinux list. Not clear if he is still maintaining that, although there will ultimately be a MLS policy separate from MCS.
- To me, a key capability to make either MLS or MCS practical is to
implement polyinstantiation of /tmp and /home/<userid> directories so that different levels and/or categories with really have different directories. Has this been implemented? How does it work?
Under development - see Janak's postings to selinux and redhat-lspp lists. It is being done in userspace via per-process namespaces and bind mounts. Currently also depends on a kernel patch that isn't upstream yet for unshare(2).
- How do I enable MCS given that I am now running selinux-targeted in
enforcing mode?
You need to update to rawhide, and then you can install the MCS packages from Dan's site, I believe.
Comment: While I understand that Red Hat folks would want to make a system upgrade to MCS NOT require a system relabel, I (personally) do not consider it a big deal to require full relabeling to transition to either MCS or MLS.
But it is critical if they want to make MCS the default in FC5, so that people can upgrade from FC4.
- Is it the goal for MCS to make it fully implemented and an
installation/upgrade option for FC5?
Fully implemented IIUC.
Any tips on using MCS?
Is there anything the developers would especially like tested?
I'll leave these to Dan or James.
- IIUC, "newrole -l" will be used to switch level & category on an MLS
system and "just" category on an MCS system. Is this correct?
I would expect so, although possibly newrole could take an option just for category setting.
- IIUC, the implementation supports a large number of levels (currently 10
or s0-s9 but could be larger or smaller) and an even larger number of categories (currently 128 or c0-c127 but could be larger or smaller). Is this correct?
Yes. No fundamental limitations there.
- While the current implementation has levels specified as s0-s9 and
categories as c0-c127, there needs to some way to relate these "internal" specifications to something more meaningful to real people. For example, for sensitivity levels specifying s0=unclassified, s1=confidential, s2=secret, etc. In a similar manner, categories need something like c0=foo, c1=bar, c2=CompanyPropin, etc. Has anything been done with this in mind? What are the plans for this?
Yes, libselinux will now invoke an external translation library for contexts if it is present on the system. Currently available from Dan's site.
On Fri, 2 Sep 2005, Stephen Smalley wrote:
- Is it the goal for MCS to make it fully implemented and an
installation/upgrade option for FC5?
Fully implemented IIUC.
Yes, our hope is to make MCS the default for FC5, and for nobody to notice it's even there unless they start using category labels.
It still needs some work.
- IIUC, "newrole -l" will be used to switch level & category on an MLS
system and "just" category on an MCS system. Is this correct?
I would expect so, although possibly newrole could take an option just for category setting.
You should not need to change levels under MCS. In fact, a property of MCS is that processes always run at the same level "s0" and the high range clearance is only used for determining access to categories.
If this is not enforced by policy yet, it probably should be.
I'm planning on documenting MCS in more detail once we have a few more issues sorted out and hopefully ready to enable in rawhide.
- James
Stephen Smalley wrote:
On Fri, 2005-09-02 at 10:40 -0400, Gene Czarcinski wrote:
While I am more interested in a MLS (Multiple Level System) capability with selinux, MCS is pretty close since it is "simply" MLS (multi-levels, multi-categories) with a single level and multi-categories.
I'll take a stab at answering, although I think that James or Dan will have more precise answers for MCS.
MCS and MLS are actually rather different. IIUC, under MCS, clearance determines current access rather than current level, and objects (files) are only labeled with categories upon explicit request by the process (e.g. the user runs chcon on the file to set a category on it). MCS doesn't try to prevent "write down", so it doesn't try to address the trojan horse problem. MCS is effectively a discretionary model to allow users to mark their data with additional tags that further restrict access. The only mandatory aspect is authorizing users for categories by defining their clearance in policy. However, MCS and MLS exercise the same code paths and share the same support infrastructure. They just differ in their specific configuration.
However, I do have some questions --
- Is most/all of the needed updates available for FC4 or should I plan to
use the FC5-development packages?
You'll need the development packages, and some of the MCS-related packages are still only in Dan's own site at present for experimentation AFAIK. See his posting to selinux list.
Yes that is correct. libsetrans and targeted policy with mcs are on my people page, but everything else is in rawhide.
- It appears that MCS is only available with targeted policy (not with the
strict policy). Are there plans to include it in strict at some future time?
MCS is based on targeted, as the goal IIUC is for it to replace targeted as the default policy in Fedora. Porting MCS to strict likely wouldn't be hard. Dan also posted links to a MLS (not MCS) policy based on strict available from his site earlier to selinux list. Not clear if he is still maintaining that, although there will ultimately be a MLS policy separate from MCS.
We will turn it on in strict policy, also by default. Haven't yet because I have been trying to get it to work in targeted.
- To me, a key capability to make either MLS or MCS practical is to
implement polyinstantiation of /tmp and /home/<userid> directories so that different levels and/or categories with really have different directories. Has this been implemented? How does it work?
Under development - see Janak's postings to selinux and redhat-lspp lists. It is being done in userspace via per-process namespaces and bind mounts. Currently also depends on a kernel patch that isn't upstream yet for unshare(2).
- How do I enable MCS given that I am now running selinux-targeted in
enforcing mode?
You need to update to rawhide, and then you can install the MCS packages from Dan's site, I believe.
Yes. Although it is currently broken in that users/root are only logging in as "s0" not "s0:c0.c127" or "s0:c0,c2,c17"
Comment: While I understand that Red Hat folks would want to make a system upgrade to MCS NOT require a system relabel, I (personally) do not consider it a big deal to require full relabeling to transition to either MCS or MLS.
But it is critical if they want to make MCS the default in FC5, so that people can upgrade from FC4.
Yes we can not force a relabel.
- Is it the goal for MCS to make it fully implemented and an
installation/upgrade option for FC5?
Fully implemented IIUC.
It will not be an option, it will be enabled in both targeted and strict policy.
- Any tips on using MCS?
Not yet, we are learning as we go. One rule we have now is categories can not have spaces in the translation.
Things we are working on: Infrastructure to allow different users to login with different categories. If I want to allow a web site to show "CompanyConfidential" documents what do I need to do?
- Is there anything the developers would especially like tested?
I'll leave these to Dan or James.
Just need people to play with it and figure out where it is broken.
- IIUC, "newrole -l" will be used to switch level & category on an MLS
system and "just" category on an MCS system. Is this correct?
I would expect so, although possibly newrole could take an option just for category setting.
We do not intend for people to use newrole in MCS.
- IIUC, the implementation supports a large number of levels (currently 10
or s0-s9 but could be larger or smaller) and an even larger number of categories (currently 128 or c0-c127 but could be larger or smaller). Is this correct?
Yes. No fundamental limitations there.
- While the current implementation has levels specified as s0-s9 and
categories as c0-c127, there needs to some way to relate these "internal" specifications to something more meaningful to real people. For example, for sensitivity levels specifying s0=unclassified, s1=confidential, s2=secret, etc. In a similar manner, categories need something like c0=foo, c1=bar, c2=CompanyPropin, etc. Has anything been done with this in mind? What are the plans for this?
Yes, libselinux will now invoke an external translation library for contexts if it is present on the system. Currently available from Dan's site.
On Fri, 2 Sep 2005, Gene Czarcinski wrote:
- Any tips on using MCS?
The usage scenario is intended to be flexible:
1) Create names for your categories 2) Assign users to categories 3) Let users label their files with the categories as they see fit
So, a simple example might be: a) Define c1 to mean "Company_Confidential" b) Configure all users to have access to c1 c) Users add this label to files like "secret_product_plan.pdf" d) httpd, ftpd etc. can't access the file anymore e) When printed, this category label is automatically added to the header and footer of each page or a cover sheet (once labeled printing is completed).
It's really up to you how you use it, though.
- Is there anything the developers would especially like tested?
Just using it at all is helpful at this stage. Let us know if you find any problems.
- James
On Friday 02 September 2005 17:09, James Morris wrote:
On Fri, 2 Sep 2005, Gene Czarcinski wrote:
- Any tips on using MCS?
The usage scenario is intended to be flexible:
- Create names for your categories
where is this specified?
- Assign users to categories
where is this specified?
- Let users label their files with the categories as they see fit
So, a simple example might be: a) Define c1 to mean "Company_Confidential" b) Configure all users to have access to c1 c) Users add this label to files like "secret_product_plan.pdf" d) httpd, ftpd etc. can't access the file anymore e) When printed, this category label is automatically added to the header and footer of each page or a cover sheet (once labeled printing is completed).
Also, in /etc/sysconfig/selinux, do I need to specify SELINUXTYPE=mcs ?
I assume I need to install the packages that are in ftp://people.redhat.com/dwalsh/selinux ... especially those under mcs.
BTW, it would be nice if the src.rpm packages were available also (e.g., libsetrans) so that I could look at the code if I have any questions.
Also, I assume that polyinstantiation of /tmp and /home is not planned for MCS but intended only for MLS ... correct? I assume this since you did not mention the use of "newrole" with respect to MCS.
Gene
selinux@lists.fedoraproject.org