Project 10: MLS/MCS Classification Demo System

A demonstration system implementing true Multi-Level Security with sensitivity labels (Unclassified → Top Secret), showing how data can flow up but not down, polyinstantiated directories, and cross-level communication via trusted channels.

Quick Reference

Attribute Value
Primary Language Python/C
Alternative Languages Go, Rust
Difficulty Level 4: Expert
Time Estimate 3-4 weeks
Knowledge Area Multi-Level Security / Government Classification
Tooling SELinux MLS policy, polyinstantiation
Prerequisites Projects 1-5 completed, understanding of security models

What You Will Build

A demonstration system implementing true Multi-Level Security with sensitivity labels (Unclassified → Top Secret), showing how data can flow up but not down, polyinstantiated directories, and cross-level communication via trusted channels.

Why It Matters

This project builds core skills that appear repeatedly in real-world systems and tooling.

Core Challenges

  • Understanding sensitivity and category labels → maps to the MLS/MCS range
  • Implementing Bell-LaPadula (No Read Up, No Write Down) → maps to information flow control
  • Setting up polyinstantiated directories → maps to level-based isolation
  • Creating trusted subjects for cross-level operations → maps to privilege management

Key Concepts

  • Bell-LaPadula Model: SELinux by Example Ch. 8
  • MLS Policy: SELinux Notebook - MLS sections
  • Sensitivity Levels: s0-s15 in SELinux
  • Category Sets: c0-c1023 for compartmentalization

Real-World Outcome

# Setup: Users at different clearance levels
$ id alice
uid=1001(alice) context=user_u:user_r:user_t:s0-s2:c0.c15
# Alice has clearance up to SECRET (s2)

$ id bob
uid=1002(bob) context=user_u:user_r:user_t:s0-s3:c0.c31
# Bob has clearance up to TOP SECRET (s3)

# Classification Demo
$ su - alice
$ echo "Unclassified Report" > /mls/s0/report.txt
$ echo "Secret Analysis" > /mls/s2/analysis.txt
$ echo "Top Secret Intel" > /mls/s3/intel.txt
bash: /mls/s3/intel.txt: Permission denied
# Alice cannot write to TOP SECRET (above her clearance)

$ cat /mls/s2/analysis.txt
Secret Analysis
# Alice can read at her level

$ cat /mls/s3/intel.txt
cat: Permission denied
# Alice cannot read TOP SECRET (No Read Up)

# As Bob (TOP SECRET clearance)
$ su - bob
$ cat /mls/s3/intel.txt
Top Secret Intel
# Bob can read TOP SECRET

$ echo "Bob's notes" >> /mls/s0/report.txt
bash: Permission denied
# Bob cannot write to UNCLASSIFIED (No Write Down - prevents leaks!)

# Polyinstantiated directories
$ ls -Z /tmp
# Each user sees different /tmp based on their level
# Alice's /tmp is isolated from Bob's /tmp

# Audit log showing MLS enforcement
$ ausearch -m AVC | grep mls
type=AVC msg=audit(...): avc:  denied  { write } for
  scontext=user_u:user_r:user_t:s3
  tcontext=system_u:object_r:mls_file_t:s0
  mls_constraint: write up denied

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: SELINUX_DEEP_DIVE_LEARNING_PROJECTS.md
  • “SELinux by Example” by Frank Mayer