mcs(8) mcs documentation mcs(8)NAME
mcs - Multi-Category System
DESCRIPTION
MCS (Multiple Category System) allows users to label files on their system within administrator defined categories. It then uses SELinux
Mandatory Access Control to protect those files. MCS is a discretionary model to allow users to mark their data with additional tags that
further restrict access. The only mandatory aspect is authorizing users for categories by defining their clearance in policy. However,
MCS is similar to MLS and exercises the same code paths and share the same support infrastructure. They just differ in their specific con-
figuration.
The /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file translates the labels on disk to human readable form. Administrators can
define any labels they want in this file. Certain applications like printing and auditing will use these labels to identify the files. By
setting a category on a file you will prevent other applications/services from having access to the files.
Examples of file labels would be PatientRecord, CompanyConfidential etc.
SEE ALSO selinux(8), chcon(1)FILES
/etc/selinux/{SELINUXTYPE}/setrans.conf
dwalsh@redhat.com 8 Sep 2005 mcs(8)
Check Out this Related Man Page
setrans.conf(8) setrans.conf documentation setrans.conf(8)NAME
setrans.conf - translation configuration file for MCS/MLS SELinux systems
DESCRIPTION
The /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file specifies the way that SELinux MCS/MLS labels are translated into human
readable form by the mcstransd daemon. The default policies support 16 sensitivity levels (s0 through s15) and 1024 categories (c0 through
c1023). Multiple categories can be separated with commas (c0,c1,c3,c5) and a range of categories can be shortened using dot notation
(c0.c3,c5).
Keywords
Base once a base is declared, subsequent sensitivity label definitions will have all modifiers applied to them during translation. Sen-
sitivity labels defined before the base declaration are immediately cached and no modifiers will be applied these are used as direct
translations.
Default
defines the category bit range that will be used for inverse bits.
Domain creates a new domain with the supplied name.
Include
read and process the contents of the specified configuration file.
Join defines a character used to separate members of a modifier group when more than one is specified (ex. USA/AUS).
ModifierGroup
a means of grouping category bit definitions by how they modify the sensitivity label.
Prefix word(s) that may proceed member(s) of a modifier group (ex. REL USA).
Suffix word(s) that may follow member(s) of a modifier group (ex. USA EYES ONLY).
Whitespace
defines the set of acceptable white space characters that may be used in label being translated.
Sensitivity Level Definition Examples
s0=SystemLow
defines a translation of s0 (the lowest sensitivity level) with no categories to SystemLow.
s15:c0.c1023=SystemHigh
defines a translation of s15:c0.c1023 to SystemHigh. c0.c1023 is shorthand for all categories. A colon separates the sensitivity
level and categories.
s0-s15:c0.c1023=SystemLow-SystemHigh
defines a range translation of of s0-s15:c0.c1023 to SystemLow-SystemHigh. The two range components are separated by a dash.
s0:c0=PatientRecord
defines a translation of sensitivity s0 with category c0 to PatientRecord.
s0:c1=Accounting
defines a translation of sensitivity s0 with category c1 to Accounting.
s2:c1,c2,c3=Confidential3Categories
s2:c1.c3=Confidential3Categories
both define a translation of sensitivity s2 with categories c1, c2 and c3 to Confidential3Categories.
s5=TopSecret
defines a translation of sensitivity s5 with no categories to TopSecret.
Constraint Examples
c0!c1 if category bits 0 and 1 are both set, the constraint will fail and the original context will be returned.
c5.c9>c1
if category bits 5 through 9 are set, bit 1 must also be set or the constraint will fail and the original context will be returned.
s1!c5,c9
if category bits 5 and 9 are set and the sensitivity level is s1, the constraint will fail and the original context will be
returned.
AUTHOR
Written by Joe Nall <joe@nall.com>.
Updated by Ted X. Toth <txtoth@gmail.com>.
SEE ALSO selinux(8), mcs(8), mls(8), chcon(1)FILES
/etc/selinux/{SELINUXTYPE}/setrans.conf
/usr/share/mcstrans/examples
txtoth@gmail.com 13 July 2010 setrans.conf(8)