SELinux by Example: Using Security Enhanced Linux

8.5. Summary

• The SELinux policy language provides optional support for MLS through the use of additional constraint statements and extensions to the security context.

• For an MLS policy, you must define hierarchical sensitivities and nonhierarchical categories. A valid security level is a combination of a single sensitivity and a set of categories (including the empty set).

• For MLS, the security context is extended with a low (current) and high (clearance) security levels. A hard-coded invariant requires that the high security levels always dominate the low.

  The primary purpose of an MLS policy is to implement the "no read down, no write up" invariant for all objects. We can implement this invariant using the mlsconstrain statement, which is exactly like the constrain statement except that it allows restrictions to also be based on relationships between the source and target security levels.

  The mlsvalidatetrans statement is exactly the same as the validatetrans statement except that it also allows us to restrict security context changes based on the old, new, and process security levels. This allows us to control the ability to change filesystem object security levels.

• For a complete MLS security policy, you must implement MLS constraints on all relevant object class permissions and extend the security context labeling everywhere a security context is applied to an object.