Getting Started With Multi-Category Security (Mcs); Introduction - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

security labels on files. The contents of this attribute will vary depending on the file or directory you
inspect and the policy the machine is enforcing.
Note
This is expected to change in the 2.6.15 kernel (and already has in the latest -mm
kernels), so that getxattr(2) always returns the kernel's canonicalized version of the
label.
You can use the ls -Z command to view the category label of a file:
[root@myServer ~]# ls -Z gravityControl.txt
-rw-r--r-- user
You can use the gefattr(1) command to view the internal category value (c10):
[root@myServer ~]# getfattr -n security.selinux gravityControl.txt
# file: gravityControl.txt
security.selinux="user_u:object_r:tmp_t:s0:c10\000"
Section 44.5, "Getting Started with Multi-Category Security (MCS)"
Refer to
categories and assigning them to files.

44.5. Getting Started with Multi-Category Security (MCS)

This section provides an introduction to using MCS labels to extend the Mandatory Access Control
(MAC) capabilities of SELinux. It discusses MCS categories, SELinux user identities, and how they
apply to Linux user accounts and files. It builds on the conceptual information provided in
"Multi-Category Security

44.5.1. Introduction

MCS labeling from a user and system administrator standpoint is straightforward. It consists of
configuring a set of categories, which are simply text labels, such as "Company_Confidential" or
"Medical_Records", and then assigning users to those categories. The system administrator first
configures the categories, then assigns users to them as required. The users can then use the labels
as they see fit.
The names of the categories and their meanings are set by the system administrator, and can be
set to whatever is required for the specific deployment. A system in a home environment may have
only one category of "Private", and be configured so that only trusted local users are assigned to this
category.
In a corporate environment, categories could be used to identify documents confidential to specific
departments. Categories could be established for "Finance", "Payroll", "Marketing", and "Personnel".
Only users assigned to those categories can access resources labeled with the same category.
After users have been assigned to categories, they can label any of their own files with any of the
categories to which they have been assigned. For example, a home user in the system described
above could label all of their personal files as "Private", and no service such as Apache or vsftp would
ever be able to access those files, because they don't have access to the "Private" category.
user user_u:object_r:tmp_t:Moonbase_Plans gravityControl.txt
(MCS)", and introduces some basic examples of usage.
Getting Started with Multi-Category Security (MCS)
for details on creating
Section 44.4,
733