44.5.3. Configuring Categories

44.5.3. Configuring Categories

SELinux maintains a mapping between internal sensitivity and category levels and their human-readable representations in the setrans.conf file. The system administrator edits this file to manage and maintain the required categories.

Use the chcat -L command to list the current categories:

[root@dhcp-133 tmp]# chcat -L
s0:c0                          CompanyConfidential
s0:c3                          TopSecret
s0-s0:c0.c255             SystemLow-SystemHigh
s0:c0.c255                  SystemHigh

To modify the categories or to start creating your own, modify the /etc/selinux/<selinuxtype>/setrans.conf file. For the example introduced above, add the Marketing, Finance, Payroll, and Personnel categories as follows (this example uses the targeted policy, and irrelevant sections of the file have been omitted):

[root@dhcp-133 tmp]# vi /etc/selinux/targeted/setrans.conf

Use the chcat -L command to check the newly-added categories:

[root@dhcp-133 tmp]# chcat -L
s0:c0                          Marketing
s0:c1                          Finance
s0:c2                          Payroll
s0:c3                          Personnel
s0-s0:c0.c255            SystemLow-SystemHigh
s0:c0.c255                 SystemHigh


After you make any changes to the setrans.conf file, you need to restart the MCS translation service before those changes take effect. Use the following command to restart the service:

[root@dhcp-133 ~]# service mcstrans restart

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.