Not quite MLS.

I would like to create a login that has access to one category at the highest sensitivity level, but in another category only has access at a lower sensitivity level. For example, on a system where SystemHigh is s0-s3:c0.c3, one login could be defined as something similar to: s0-s1:c0.c3, s2:c2.c3, s3:c3, while another login could be defined as s0-s2:c0.c3, s3:c0.c2 .

Am I correct that MLS policy cannot support this scenario?

Is this possible under any old, current, or developmental SELinux policy?

Would it be possible to write such a policy with the existing SELinux user/kernel land?

Thanks for any pointers,

rob. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

• This message: [ Message body ]
• Next message: James Morris: "Re: Push mmap_min_addr changes to Linus"
• Previous message: Stephen Smalley: "Re: [PATCH 1/2 -v3] Namespacing of security/selinux"
• Next in thread: Stephen Smalley: "Re: Not quite MLS."
• Reply: Stephen Smalley: "Re: Not quite MLS."

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]