Using MCS and MLS

July 02, 2021

The most common use case for enabling the sepgsql module is to use Multi-Category Support (MCS) and Multi-Level Security (MLS) support within SELinux to fine-tune access to resources.

Limiting access to columns based on categories

Suppose we use the range of category numbers from c900 to c909 to address specific PII datasets, and grant users access to these categories either by granting them direct access, or by using specific SELinux contexts to consult this data.

Within the database, we could mark the PII-sensitive data with a category number within that range:

db_test=# SECURITY LABEL ON COLUMN tb_users.mail IS 'system_u:object_r:sepgsql_table_t:s0:c903';
db_test=# SECURITY LABEL ON COLUMN tb_users.address IS 'system_u:object_r:sepgsql_table_t:s0:c903';

With the labels applied, a user that does not have access to this category will not be able to access the data:

db_test=> SELECT sepgsql_getcon();
user_u:user_r:user_t:s0-s0:c0.c100
db_test=> SELECT uid,name,mail,address FROM tb_users;
ERROR: SELinux: security policy violation;

With the category range for the user set correctly, access to the data is granted:

db_test=> SELECT sepgsql_getcon();
user_u:user_r:user_t:s0-s0:c0.c100,c900.c904
db_test=> SELECT uid,name,mail,address FROM tb_users;

It is important to understand though that most domains will be allowed to switch their category set, as long as it remains within the allowed range:

# semanage login -l
Login Name SELinux User MLS/MCS Range ...
...
taylor user_u s0-s0:c0.c100,c900.c903 ...

This means that, even when a user session for this user launches with a more limited category set (for instance, using the runcon command), the user will still be able to call runcon again to extend the category range, or use the sepgsql_setcon() function:

db_test=> SELECT sepgsql_getcon();
user_u:user_r:user_t:s0-s0:c0.c100;
db_test=> SELECT sepgsql_setcon('user_u:user_r:user_t:s0-s0:c0.c100,c900.c903');
db_test=> SELECT sepgsql_getcon();
user_u:user_r:user_t:s0-s0:c0.c100,c900.c903

To remediate this, we need to have the target domain be MCS-constrained.

Constraining the user domain for sensitivity range manipulation

The SELinux policy always allows reducing the category range, so a range that initially includes the c900 category can always switch to a category range that excludes this category. The rules within SELinux that grant domains the privilege to reduce their category range use dominance rules, which are basically algorithms running mathematical set expressions on the source and target set: if the target set is fully enclosed within the source set, then SELinux will allow the range transition to occur.

The policy however also allows for extending the category range (if the range remains within the allowed range as defined by the SELinux configuration for the user), unless the domain itself is marked as MCS-constrained. The default MCS-constrained domains are generally those domains used for sandbox usage or virtualization.

However, we can easily add more domains. For instance, to mark the user domain as MCS-constrained, load the following CIL policy:

(typeattributeset cil_gen_require mcs_constrained_type)
(typeattributeset cil_gen_require user_t)
(typeattributeset mcs_constrained_type (user_t))

This will prevent the user_t domain from growing its category range again.

Related Articles

How to add swap space on Ubuntu 21.04 Operating System

How to add swap space on Ubuntu 21.04 Operating System

The swap space is a unique space on the disk that is used by the system when Physical RAM is full. When a Linux machine runout the RAM it use swap space to move inactive pages from RAM. Swap space can be created into Linux system in two ways, one we can create a...

read more

Lorem ipsum dolor sit amet consectetur

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

20 − five =