Hello SELinux folks, I'm running a test system using MCS and just starting to get to the point where I'm interested in enabling NetLabel + CIPSO to pass along context on a LAN. As a first step, I was able to get it working off `localhost` before adding in CIPSO or other boxen. I'm able to run in enforcing mode (amazing!) and get the peer context (even more amazing!) -- which I can use to calculate the effective "connection context" for logical filtering on common categories. That's really great! I'm a bit confused with some of the enforcement on this, though. When I run my server (with a user and binary at the level of `s0:c1`), connecting to localhost via a user at `s0` results in a connection getting established. While I understand this isn't the same as MLS / sensitivity level, I'm a bit surprised that it didn't refuse to connect to the privileged resource. Certainly I can't cat a file from a user at `s0` that's at `s0:c1`, or likely (I haven't tried, but it stands to reason) a UNIX Socket with `c1` -- so the TCP connection going through was a bit surprising. I can see in the peer context that the user is at `s0` (without `c1`), so it'd be possible to filter this software-side, but it'd also be a bit more of a mental relief if only processes with the `c1` category could connect. Is there any documentation on how to set that particular type of enforcement? Thank you all very much! Paul -- :wq
