Jump to content

Multi categories security

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by JoseREMY (talk | contribs) at 09:46, 20 January 2006. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Multi Categories Security” (MCS), is an access control method that use non hierarchical categories attached to objects (files, records, messages …), and granted to subject (processes,…) at the operating system level. This is a discretionary access control (DAC) because labeling is over user control, providing label and “rights to use” definitions, by an administrator. MCS is applied after mandatory access control, if applicable, and after regular DAC (standard permissions). In the early FC5 implementation of Redhat, it’s possible to manage up to 128 categories (c0 to c127), the id is provided by the system (SELinux), the category name is whatever chosen by administrators. Categories could be used to control printing clearance and warning headers. MCS information is part of the security context as an MLS field.


It is for “Multi-Level Security” (MLS), what LDAP is for X500. It’s a lightweight MLS, where there is only one, hierarchical, sensitivity level, and where Bell-LaPadula model is applied except for security properties (Simple security, reading down, writing up). An MCS system is supposed to be easily upgradeable to a MLS system. MCS is a mix of MAC (enforcement of categories according rules) and DAC (user labeling), and is complementary of RBAC (role based access control).


Tips

For FC5 linux with SELinux

FILE /etc/mcs.conf contains “s0:c01=MyCategory” where “s0” is the unique sensitivity level and “c01” the named category

COMMAND e.g. “ls –Z MyFile” gives -rw-r--r-- me me user_u:object_r:tmp_t:MyCategory MyFile

Retrieved from "https://en.wikipedia.org/w/index.php?title=Multi_categories_security&oldid=35935959"