SELinux MLS type

Trevor · ‎11-06-2022

Okay, need a little help from the SELinux juggernauts.

I've got my RHEL 8.4 system configured to use an SELinux type of targeted. I've restarted my system several times. However, when I run the sestatus command, I see the following output:

# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

Why do I see "enabled" on the "Policy MLS status" line?

I also get an output of "1" when I execute the following command:
# cat /sys/fs/selinux/mls

What am I forgetting? What am I missing? What? What? It's things like this that have me using Vidal Sassoon Hair Color.

Thanks all!

Trevor "Red Hat Evangelist" Chandler

Tracy_Baker · ‎11-06-2022

What does your /etc/sysconfig/selinux file look like?

Maybe SELINUXTYPE=mls is set in the file as opposed to SELINUXTYPE=targeted ... ?

-----

Actually, mine says the same thing even though SELINUXTYPE=targeted is set on my system.

So, your question lead to me: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/using-mu...

And, after downloading the doc as a PDF (for easier searching), I found that the answer isn't there, either.

My best guess is that it means that the kernel build supports it, even if it isn't used per the configuration settings.

Anyone else have an idea?

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College

Trevor · ‎11-07-2022

Thanks for weighing in TB. I didn't mention the /etc/selinux/config (same as /etc/sysconfig/selinux) file in my initial post, but I promise you, I examined that
bad boy as well. It was because of what I did see in this file that caused the
greatest disturbance.

Just for completeness, here's what the file looks like:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Thanks for your educated guess. It's more than I had, so maybe I can build on that if I don't receive any definitive response(s) from other members in the community. Hope you're safe and well!!!

Trevor "Red Hat Evangelist" Chandler

EmanuelHaine · ‎11-07-2022

@Trevor

As far I understand, your SELinux is enabled and the running policy is targeted:

Loaded policy name: targeted

In this case, MLS policy is just enabled, but not in use:

Policy MLS status: enabled

dnaspliceoflife · ‎11-07-2022

That was my sense as well. When examining various SE policies, the :sx part of the policy refers to the MLS security sensivity element and by default the value is 0 so it is enabled but everything is considered non-sensitive.

You are more than the sum of what you consume.
Desire is not an occupation.

Trevor · ‎11-11-2022

dnaspliceoflife,

Thanks for your input. I'll add your response
to the other input that I receive to distil a definite
answer.

Hope you're safe and well.

Trevor "Red Hat Evangelist" Chandler

Trevor · ‎11-11-2022

Emauel,

Thanks for your input. I'll take your information,
and add it to the other responses. Ultimately, I
want to be able to compose a definitive answer.

Thanks again for contributing.

Trevor "Red Hat Evangelist" Chandler