Re: user guide draft: "SELinux Contexts and Attributes" review

[Murray McAllister <mmcallis@redhat.com>]

Murray McAllister wrote:

>>> type: The type is an attribute of Type Enforcement. The type defines 
>>> a domain type for subjects, and a type for objects. SELinux policy 
>>> rules define how types access each other, whether it be a domain 
>>> accessing a type, or a domain accessing another domain. Access is 
>>> only allowed if a specific rule exists that allows it.
>>>
>>> category: The category is an attribute of Multi-Level Security (MLS) 
>>> and Multi-Category Security (MCS). Categories are used to categorize 
>>> data, and identify its sensitivity or security level. Standard 
>>> SELinux policy supports MCS; however, it is not heavily used. MCS 
>>> allows users, at their own discretion, to add a category to a piece 
>>> of data, for example, PatientRecord or CompanyConfidential. There is 
>>> only a single security level, s0. MLS labels data with both 
>>> categories (CompanyConfidential) and a sensitivity level. MLS 
>>> enforces the Bell-LaPadula Mandatory Access Model, and is used in 
>>> Labeled Security Protection Profile (LSPP) environments.
>>
>> Again, this should be level or range rather than just category, where a
>> level is a sensitivity and an optional list of categories and a range is
>> a current/low level and a clearance/high level.  You may wish to note
>> that people who wish to use the MLS restrictions need to install a
>> separate -mls policy package and make it the default.
> 

How about:

The security level is an attribute of MLS and Multi-Category Security 
(MCS). The first part of the security level is the sensitivity, for 
example, s0 is a sensitivity. The s0 sensitivity is the only sensitivity 
used when running the SELinux targeted policy. Optionally, the security 
level can have a list of categories. Categories are used to categorize 
data and add an extra level of security. If a user does not have access 
to the same or higher categories than an object, and DAC and SELinux 
rules allow access, access to that object is denied. For example, if a 
user only has access to the c0 category, and an object is labeled with 
the c1 category, access is denied. Security levels can be translated to 
an easier-to-read form, such as CompanyConfidential. For an example list 
of security levels and their translations, refer to the 
/etc/selinux/targeted/setrans.conf file.

When running the SELinux MLS policy, a sensitivity and categories are 
compulsory. MLS allows sensitivities s0 through to s9. MLS enforces the 
Bell-LaPadula Mandatory Access Model[1], and is used in Labeled Security 
Protection Profile (LSPP) environments. To use MLS restrictions, install 
the selinux-policy-mls package, and configure MLS to be the default 
SELinux policy.


from semanage login -l, is the range the "s0-s0" part of the MLS/MCS 
label? And in MLS, this could be something like "s0-s3"?


[1] http://en.wikipedia.org/wiki/Bell-LaPadula_model

> This part is in progress. I do not understand the difference between 
> levels/categories and ranges. Can you recommend any papers or books on 
> this? This is what is there now, keeping in mind I don't understand:
> 
> The level is an attribute of MLS and Multi-Category Security (MCS). 
> There is a single sensitivity level, s0, which is the only sensitivity 
> level used. This level is used when running the SELinux MLS policy, but 
> not when running the SELinux targeted policy. An optional list of 
> categories can be used to categorize data. Standard SELinux policy 
> supports MCS; however, it is not heavily used. MCS allows users, at 
> their own discretion, to add a category to a piece of data, for example, 
> CompanyConfidential or PatientRecord. MLS labels data with both a 
> sensitivity level and categories (such as CompanyConfidential). MLS 
> enforces the Bell-LaPadula Mandatory Access Model, and is used in 
> Labeled Security Protection Profile (LSPP) environments. To use MLS 
> restrictions, install the selinux-policy-mls package, and configure MLS 
> to be the default SELinux policy.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.