Create Multi Category Security (MCS)

Multi-Category-Security-(MCS).md

@@ -0,0 +1,47 @@
+# Intro
+
+AppArmor is capable of providing Multi-category security though how it is done is different than Multi-category security in selinux. 
+
+# Defining categories
+
+In AppArmor categories are defined by the policy admin. Unless [user defined policy](#UserDefinedPolicy) is used this means the categories must be defined by the policy admin before they can be used.
+
+category include files
+
+# AppArmor 2 & 3
+
+## Dropping categories
+
+requires changing profiles
+
+# AppArmor 4
+
+AppArmor 4 is compatible with the MCS techniquies used in AppArmor 2 and 3, in addition AppArmor 4 introduces delegation which can be used to provide a more dynamic form of MCS. Delegation extends AppArmor so that the tasks label can express the categories that the task belongs to and allows users and tasks to drop categories without having to change profiles.
+
+## ????
+policy chunk instead of plane include.
+
+## Base Policy
+
+needs to include delegation categories and allow delegation of them - won't show up in name
+
+use policy directed delegation or API for rule delegation to setup task in category
+
+Application policy no longer includes category unless it should have access by default, delegation adds the needed accesses.
+
+Exec attachment based delegations
+profile Example//+private /usr/bin/example {}
+
+
+## Task label using delegated
+
+```
+  Example//+private
+```
+
+# Dropping Delegation
+
+
+# User Defined Policy
+
+User defined policy allows users to be admins of their own policy separate from the system policy. Using the same techniques used by system policy the user can define their own categories and policies that restrict the applications the user runs.