Hi again. Is selinux contain something functional like 'multilevel port' from solaris trusted extension? Concept of mlp is declaring number of programm to be 'label aware'. Program of this type, allowed to handling network request for specified service from all labels and handling/generate trafic for any labels in clearance. So, OS just delegate information control to this programm. As my mind, something like this is possible for selinux contexts (we can allow traffic between different domains by policy, and selinux context transfered by 'secret' local processing ;) but may be something like this implemented for information labels s0,s1 etc?
For example:
type=AVC msg=audit(1368735963.286:1998): avc: denied { recv } for pid=4773 comm="python-thinlinc" saddr=127.0.0.1 src="" daddr=127.0.0.1 dest=9000 netif=lo scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:netlabel_peer_t:s4 tclass=peer
My userspace program need to send status message to master process that executed with clearance s0-s15:c0.c1023 but denied with request. Hmmm.. But clearance of master process is enough to work with this information? From some tests, i got result that 'real' leabel for master process is s0. And all processes executed with label range handling connection only with lowest label from range. Ok, thats strong design and i agree. I can switch label for reporter process to s0 and send message, of course ... but may be any trick exist?
