Multilevel security

SELinux also supports a multilevel security (MLS) model, which pays homage to the Bell-LaPadula (BLP) model, but alternate models could be used. The BLP model was created to formalize the Department of Defense's security policies. For example, a person with a secret clearance should not be able to read top-secret material. However, let's suppose this person has a brilliant idea that ultimately needs to be protected at the top-secret level; that data could then be "up-classified" to top-secret. This is referred to as "no read up or write down".

The SELinux implementation of this field has subfields. The first field is sensitivity, and will always be present. In the context of the previous example, pertinent sensitivities include secret and top secret. The second subfield is category, and might not be present. These fields also make sense in the context of government classification. The data itself might be compartmentalized, so while the sensitivity is the same, such as top secret, the data should only be disseminated to people within the same compartment or category. Sensitivities are defined in a hierarchical fashion via the dominance keyword. In a typical policy, s0 is the lowest sensitivity and sN where n > 0 is the highest. Thus, s1 has a greater sensitivity than s0. Categories are sets. The controls associated with the level, which is comprised of sensitivities and potentially categories, follow set theory concepts, such as dominance and equality. In MLS security, all interactions are allowed by default, unlike type enforcement. Both the sensitivity and the category can be ranged, and categories can be enumerated. Thus, a label might have some number of sensitivities and different number of categories.