[refpolicy] SELinux Configuration

[dominick.grift@gmail.com (Dominick Grift)]

On Tue, 2013-10-29 at 16:55 -0400, Gary Cliff wrote:

> Q1: Is 'mls' included in 'targeted'?  
> 

Strictly put: no ... , but

This kind of confusing but in the config file mls is referring to the
mls policy model. which is a different policy model than the targeted
policy model. So from that perspective, no, mls is not included with
targeted

However mls is also a security model, and in that case mls can be made
to be included with the targeted policy model, usually in the form of
mcs

yes that is confusing indeed. there is just a difference between policy
models and security models.

mls as a security model adds a security attribute (security level
security attribute, e.g. a fourth field to a selinux security context),
and that security attribute can be used to enforce confidentiality with
compartmentalization (full MLS), or just only compartmentalization (mls
security attribute used to only add compartmentalization (MCS).

Fedora for example ships its targeted policy model, with the mls
security model enabled in mcs mode ( adds additional
compartmentalization capabilities )

> 
> Q2: is only MLS protected in 'mls'?
> 

Not strictly but generally yes. (in the context of your question yes
probably)

In theory there is nothing stopping you from enforcing confidentiality,
with compartmentalization in a targeted policy, but it is not supported,
as it does not really make sense.

So recap:

in the config file mls is referring to the mls policy model, and
targeted is referring to the targeted policy model.

the mls policy model is by design not "targeted", but is "strict",
although you could implement the mls properties into a targeted policy.
(just add a unconfined domain to the mls policy model, and then you have
a "targeted mls" policy model... i guess (its not supported but possible
i think)

the targeted policy model can be built to support limited mls
capabilities ( this IS supported ), its called MCS, which is the MLS
security model without the capabilities to enforce confidentiality ,
e.g. only allow for additional compartmentalization capability using the
MLS security attributes

Fedora/RHEL have targeted policy with mcs enabled by default, but no one
has targeted policy with full mls enabled

it is kind of unfortunate that people decided to call the policy model
that uses full MLS, the mls policy model, the more because from a
security model perspective mls is referred to as a model to enforce
confidentiality with compartmentalization (full mls), as well as only
compartmentalization (mcs, aka semi mls)

I hope that this cleared things up a bit for you.. but i will not blame
you if it did not.. because its just confusing

Maybe someone else can explain it in simpler terms, and still give a
comprehensive answer