Stephen Smalley wrote:
> Unfortunately for you, MCS is using the existing MLS engine, which
> doesn't presently support inheritance from parent directory (unlike the
> TE engine).  So to support the behavior you want, you'd have to modify
> the actual code (and that's kernel code).  Thus, you are more likely to
> find success using actual MLS or using TE.

Let me see if I can come up with a simple patch that does the work. It
sounds better than rewriting each app to actually change the labels for
themselves. (Is there even an API for specifying MCS label prior to file
creation? If it has to be changed after the file exists then it's a huge
race condition style hole.)

> > Secondly I don't see why a user is not able to discretionarily specify
> > his range outright when going via ssh just as he can with roles. 
> 
> That's another artifact of the MLS model (label preservation /
> confinement).

Unfortunately here I have no idea on what code should I look to remove
that artifact.

> > No. MLS is about strict ordering 0 < 1 < 2 ... I just want a partially
> > ordered set. I want compartments, not sensitivities. MCS and MLS are
> > orthogonal, at least by their theoretical properties (and SELinux MCS
> > strongly resembles the theory in practice).
> 
> I think you're confused about MLS; it supports a set of hierarchical
> sensitivities and a set of non-hierarchical categories, and MCS is
> nothing more than a particular configuration of the MLS engine.  So you
> are free to just use a single MLS sensitivity and only use its
> categories.  

I think I am not confused. There are two principles, sensitivities and
categories. Categories do have hierarchy, just not a strictly ordered
one. For any two categories one could find a supremal and infimal ones,
and that's what contributes to the quadratic number of types should TE
be used instead.

A MCS system is then just taking advantage of the categories principle,
and not utilising the sensitivities one. That is perfectly what I want,
but I just want it to be usable on my use case, ie. files inheriting
categories from parent dirs, which I think is perfectly valid. I see
this topic recurring and the standard reply "use something else than
MCS" is just weird at least.

Regards,
Michal Svoboda