Multi categories security

Multi categories security

Multi Categories Security (MCS) is an access control method in Security-Enhanced Linux that uses categories attached to objects (files) and granted to subjects (processes, …) at the operating system level. The current implementation in Fedora Core 5 is advisory because there is nothing stopping a process from increasing its access. The eventual aim is to make MCS a hierarchical mandatory access control system. Currently, MCS controls access to files and to ptrace or kill processes. It has not yet decided what level of control it should have over access to directories and other file system objects. It is still evolving.[citation needed]

MCS access controls are applied after the Domain-Type access controls and after regular DAC (Unix permissions). In the default policy, it is possible to manage up to 256 categories (c0 to c255). It is possible to recompile the policy with a much larger number of categories if required.

As part of the Multi-Level Security (MLS) development work applications such as the CUPs print server will understand the MLS sensitivity labels, CUPs will use them to control printing and to label the printed pages according to their sensitivity level. The MCS data is stored and manipulated in the same way as MLS data, therefore any program which is modified for MCS support will also be expected to support MLS. This will increase the number of applications supporting MLS and therefore make it easier to run MLS (which is one of the reasons for developing MCS).

Note that MCS is not a sub-set of MLS, the Bell–LaPadula model is not applied. If a process has a clearance that dominates the classification of a file then it gets both read and write access. For example in a commercial environment you might use categories to map to data from different departments. So you could have c0 for HR data and c1 for Financial data. If a user is running with categories c0 and c1 then they can read HR data and write it to a file labeled for Financial data. In a corporate environment this is usually regarded as acceptable, if a user is trusted with both HR and Financial access then their integrity and skills are trusted to ensure that the data is not mistakenly released to the wrong file. For secret military data this is regarded as unacceptable and the Bell–LaPadula model prevents such accidental or malicious relabeling of data.

Tips

For FC5 linux with SELinux

COMMAND
semanage translation -l gives:

Level                     Translation
s0
s0-s0:c0.c255             SystemLow-SystemHigh
s0:c0.c255                SystemHigh

COMMAND
e.g., “ls –Z MyFile” gives:

-rw-r--r--  me     me     user_u:object_r:tmp_t:SystemHigh MyFile

Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Multi-National Security Transition Command — MNF I patch worn by MNSTC I Multi National Security Transition Command – Iraq (MNSTC I) was the branch of the Multi National Force Iraq that is responsible for developing, organizing, training, equipping, and sustaining the Iraqi Security… …   Wikipedia

  • Multi level Security — Sécurité multiniveau La sécurité multi niveau (en anglais multilevel security, en abrégé MLS) est un principe informatique permettant de catégoriser les entités d un système fonction de niveaux d habilitation et de classification. Ils permettent… …   Wikipédia en Français

  • Multi-National Corps — Iraq MNC I Shoulder Sleeve Insignia (SSI) Active 2004 05 14 2009 12 31 Country …   Wikipedia

  • Multilevel security — or Multiple Levels of Security (abbreviated as MLS) is the application of a computer system to process information with different sensitivities (i.e., at different security levels), permit simultaneous access by users with different security… …   Wikipedia

  • Multi-National Force — – Iraq Multi National Force – Iraq Insignia Active May 14, 2004 – December 31, 2009 Country …   Wikipedia

  • Multi-factor authentication — Multi factor authentication, sometimes called strong authentication, is an extension of two factor authentication. This is the Defense in depth approach of Security In Layers applied to authentication. While two factor authentication only… …   Wikipedia

  • Multi-System & Internet Security Cookbook — Multi System Internet Security Cookbook MISC (Multi system Internet Security Cookbook) est un magazine bimestriel français spécialisé dans la sécurité informatique dont le rédacteur en chef est Frédéric Raynal. Il s agit du magazine français de… …   Wikipédia en Français

  • Multi-system & Internet Security Cookbook — Multi System Internet Security Cookbook MISC (Multi system Internet Security Cookbook) est un magazine bimestriel français spécialisé dans la sécurité informatique dont le rédacteur en chef est Frédéric Raynal. Il s agit du magazine français de… …   Wikipédia en Français

  • Multi-National Division (South-East) (Iraq) — Multi National Division (South East) (MND(SE)) was a British commanded division responsible for security in the south east of Iraq from 2003 to 2009. It was responsible for the large city of Basra (or Basrah) and its headquarters were located at… …   Wikipedia

  • Multi-System & Internet Security Cookbook — Pays  France Langue Françai …   Wikipédia en Français

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”