Multi-Level Security Policy

A Multi-Level Security (MLS) policy applies access controls to different levels of processes with each level having different rules for user access. Users can't obtain access to information if they don't have the correct authorization to run a process at a specific level.

In SELinux, MLS implements the Bell-LaPadula (BLP) model for system security, which applies labels to files, processes, and other system objects to control the flow of information between security levels. In a typical implementation, the labels for security levels might range from the most secure, top secret, through secret, and classified, to the least secure, unclassified.

For example, under MLS, you might configure a program labeled secret that can write to a file that's labeled top secret, but can't read from it. Similarly, you would configure the same program to read from and write to a file labeled secret, but only to read classified or unclassified files. So, information that passes through the program can flow upwards through the hierarchy of security levels, but not downwards.

The MLS policy is provided by the selinux-policy-mls package.

Caution:

Oracle doesn't recommend using the MLS policy on a system that's running the X Window System. The X Window System is a complex system that lets many clients connect to a single X server, and it doesn't have the necessary security features to enforce MLS policy correctly.

Note:

Switching to the MLS policy might restrict access for certain confined domains, and the system is likely to generate more SELinux denial messages. These denials can be frequent and difficult to resolve. SELinux denials are often more common when using the MLS policy for the following main reasons:

MLS disables the unconfined policy module.
MLS uses sensitivity levels.