Hello everyone!

I am having some issues with SELinux Multi Category Security on CentOS7 and have been redirected to this mailing list by the folks at centos.org/forums (as response to my question there [0]).

My problem is the following:
Running CentOS7 64bit with SELinux in enforcing mode in targeted policy, I noticed that a file that is assigned to a certain SELinux MCS (Multi Category Security) category can be read by a user who is not assigned to that category, indicating that MCS isn't working properly.

More specifically, I have users
john | mcsuser_u | s0-s0:c122
jane | mcsuser_u | s0-s0:c123

with
mcsuser_u | MLS/MCS Level: s0 | MLS/MCS Range: s0-s0:c0.c1023 | SELinux Roles: user_r

and a file
-rw-rw-r-- john john mcsuser_u:object_r:user_home_t:s0:c122 johntext

I would expect that user jane is unable to read the file since she is not member of the c122 category. However, running cat johntext as jane prints the contents of the file without problem. This indicates to me that MCS rules are not adhered to.

I tested the same setup on CentOS 6.9, where everything behaves as I would expect (i.e., invoking cat johntext as jane results in a permssion denied error).

Since I was unable to find documentation on a major change in policy/configuration regarding SELinux from version 6.9 to 7, I am somewhat confused by this. Am I making an obvious mistake or is this a bug? If the latter, is it CentOS related or was it some change in SELinux policies that I did not find documentation on which are present in the latest versions of CentOS but not in 6.9?

Any advice would be very welcome.

I also posted a more verbose version of this question already on serverfault.com [1], in case a more detailed listing of my steps is required.

Thank you very much in advance.

Best regards,
Lukas P.

[0]: https://www.centos.org/forums/viewtopic.php?f=51&t=66406&sid=31bd377019d7f826e2d76359ca88fc41
[1]: https://serverfault.com/questions/901575/centos7-selinux-doesnt-seem-to-adhere-to-mcs-categories

PS: I sent this mail once already last week but didn't get a reply and it doesn't appear in the archives [https://lists.fedoraproject.org/archives/], so I'm assuming it got lost (maybe because I sent it before subscribing to the list..). If it's a duplicate, please disregard (but maybe point me to / forward me the responses..)