Section 8.1. Multilevel Security Constraints

8.1. Multilevel Security Constraints

MLS is another form of mandatory access control that is applicable to some security problems, especially those associated with government-classified data control. Much of the early computer security research was driven by the goal of implementing MLS access controls within operating systems. SELinux provides optional support for MLS. Although type enforcement remains the fundamental access control mechanism of SELinux, we can also enable the optional MLS features to provide additional MLS-style mandatory access controls. In SELinux, MLS is an optional extension to type enforcement; you cannot have MLS features without it.

Note

Fedora Core 5 (FC5) enabled the optional MLS features by default. In FC5, the MLS features are used to implement so-called multicategory security (MCS) policy rather than a traditional MLS policy modeled after government-classified systems. These two uses of the MLS features alone show the flexibility of SELinux. In any case, all uses of MLS are built upon the underlying TE security.

We enable MLS in SELinux by creating a binary kernel policy file that indicates that it is an MLS policy. The primary method to create such a kernel policy is to compile the policy using the -M option to the checkpolicy program. With this option, checkpolicy will create an MLS-enabled kernel policy, and when loaded into the kernel, the kernel will enforce additional MLS constraints. You will find available policy source build trees (for example and reference policies, see Chapters 11, "Original Example Policy," and 12, "Reference Policy") manage whether the optional MLS features are available via a Makefile or configuration file.

Note

As this book was preparing to be published, Tresys released a new version of the apol tool (SeTools, release 2.4) that now supports examining MLS security contexts and rules. We do not describe those features in this chapter, but they are simple to use after you become familiar with apol.