Configuration Recipe: MLS System with Multiple Single Label Networks

[paulmoore]

One of the most common complaints I hear about the labeled networking access controls in Linux is that users don't know how to configure them for their given scenario. To help solve that problem I'm going to try and document some basic use cases and the associated labeled networking "configuration recipes".

To start off, I'm going to tackle a

Comments

[zkzk]

Hi，Paul Moore
I want to ask you a question that is why the selinux's MCS is c0--c1023, and is not the other ranges.

thks:)

[paulmoore]

Hi,

The SELinux MCS policy has a single sensitivity level, 's0', and 1024 categories, 'c0.c1023'. The single sensitivity level was an just one approach by the policy developers to simplify the complex MLS policy by eliminating the vertical policy hierarchy while still retaining the horizontal separation provided by the policy categories.

-Paul

Hi，Paul Moore

[arnoldvdui]

I opened the cents7 mls, use the configuration command
netlabelctl cipsov4 add trans doi:8 tags:1 levels:0=0,1=1 categories:0=1,1=0
netlabelctl map del default
netlabelctl map add default address:192.168.3.5 protocol:cipsov4,8
I can't see categories in my packet.
Can you please tell me how to configure the sent packets to show categories?

Re: Hi，Paul Moore

[paulmoore]

After I reply to this I'm going to disable commenting as this blog is no longer actively maintained, it has moved to paul-moore.com/blog. Question should be sent to the SELinux mailing lists.

I would suggest starting with a "pass" CIPSO mapping and not a "trans" mapping, as that is easier to configure. I would also suggest that you first verify that the sending SELinux domain has some of the category bits set. If the sending domain does not set any of the category bits then none will be sent via CIPSO.