Thank you very much @Daniel Walsh & Miroslav Grepl! It would be very nice if we had this information in the official RHEL7 documentation. I think I studied it thoroughly and still I lost a lot of time because I expected MCS to work out of the box for SELinux Users that I create. Am 2015-09-16 um 23:33 schrieb Daniel J Walsh: > I wrote a more detailed blog on this. > > http://danwalsh.livejournal.com/73416.html > > On 09/16/2015 04:55 PM, Daniel J Walsh wrote: >> They are only confined on certain domains. >> >> seinfo -amcs_constrained_type -x >> mcs_constrained_type >> netlabel_peer_t >> docker_apache_t >> openshift_t >> openshift_app_t >> sandbox_min_t >> sandbox_x_t >> sandbox_web_t >> sandbox_net_t >> svirt_t >> svirt_tcg_t >> svirt_lxc_net_t >> svirt_qemu_net_t >> svirt_kvm_net_t >> >> If you add this attribute to a type it will start enforcing it. >> >> Adding a policy like this will confine guest_t >> >> policy_module(mymcs, 1.0) >> gen_requite(` >> type guest_t >> ') >> >> typeattribute guest_t mcs_constrained_type; -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
