I would like to create a login that has access to one category at the highest sensitivity level, but in another category only has access at a lower sensitivity level. For example, on a system where SystemHigh is s0-s3:c0.c3, one login could be defined as something similar to: s0-s1:c0.c3, s2:c2.c3, s3:c3, while another login could be defined as s0-s2:c0.c3, s3:c0.c2 . Am I correct that MLS policy cannot support this scenario? Is this possible under any old, current, or developmental SELinux policy? Would it be possible to write such a policy with the existing SELinux user/kernel land? Thanks for any pointers, rob. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
