<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div>The only use case I can think of to justify the vast additional complexity of MLS is when you need to confine access to resources based on a very specific organisational information flow policy. The MLS policy isn't necessarily more 'secure' than MCS, it's just enforces a different information flow policy (domain separation rather than Bell-LaPadula).</div><div><br></div><div>If you'd like to harden the machine and restrict access to splunk resources, I would:</div><ul><li>Write policy for Splunk then remove all unconfined domains (see section in: <a href="http://danwalsh.livejournal.com/42394.html">http://danwalsh.livejournal.com/42394.html</a>)</li><li>Run splunk in its own category</li><li>Change default user/login clearances as appropriate to restrict access to splunk</li><li>Depending on whether or not your network is labelled or not you might consider using SECMARK or netlabel to restrict network access to splunk</li></ul><div>Hypothetically, you could run multiple instances of splunk in different categories on the same machine for each index if required.</div><div><br></div><div>Cheers,</div><div>Doug</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Robert Gabriel <<a href="mailto:ephemeric@gmail.com">ephemeric@gmail.com</a>><br><span style="font-weight:bold">Date: </span> Thursday, 4 July 2013 2:42 AM<br><span style="font-weight:bold">To: </span> Doug Brown <<a href="mailto:d46.brown@student.qut.edu.au">d46.brown@student.qut.edu.au</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>" <<a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>><br><span style="font-weight:bold">Subject: </span> Re: SELinux MLS<br></div><div><br></div><div><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On 3 July 2013 13:32, Douglas Brown <span dir="ltr"><<a href="mailto:d46.brown@student.qut.edu.au" target="_blank">d46.brown@student.qut.edu.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br><div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word"><div>Full splunk or just the universal forwarder? Interested to know how you go.</div></div></blockquote><div><br></div><div>Full Splunk but it's going to take me forever.<br><br></div><div>Found this in the meantime:<br><br><a href="http://riffraff169.wordpress.com/2011/11/22/splunk-and-selinux/">http://riffraff169.wordpress.com/2011/11/22/splunk-and-selinux/</a><br></div></div></div></div></div></div></span></body></html>