Hello, Is it possible to remove any checks for RBAC (role-based access control) violations and check only against MLS/MCS rules? What I have: 1) a system with most files labelled correctly according to a Fedora-based SELinux policy, which in turn is based on the refpolicy; they will probably have to be kept to make what I want work 2) RBAC-based control from SELinux is not needed, e.g. it is not needed to prevent httpd from executing 3rd party binaries 3) MLS is needed, e.g. it is needed to verify that httpd cannot access "secret" documents If I understood correctly, main calculations are done in context_struct_compute_av() (security/selinux/ss/services.c), but it does not query MLS separately. Also, all actions are prohibited by default, the problem is that the policy specifies what to allow, but I would like to wise-a-versa specify what to deny, but keep MLS parts working as is. The question is: is it possible to make selinux ignore (2), either in the kernel or in policy? In other words, how to make SELinux make allow-or-deny decisions based on MLS/MCS only, without RBAC? The only question that must be answered is: does this action violate rules of accessing objects of different level of secrecy (sN:cM) or not. Please give a clue where to start looking for a solution. Thanks!
