This is not that easy. MCS Separation requires coordination between the process and the data. You need an MCS manager to set the labels on the data and on the process.

For example libvirt uses MCS Separation. Before launching a process it labels all of the image content with a unique MCS label, then launches the VM (qemu) process with a matching MCS Label.

In order to get what separation in your case you would have to have a controller launching the different services with MCS labels.

On 08/25/2014 08:40 AM, David Compton wrote:

I am considering using SELinux to secure the file system of a server that will be used as a multiple category file store. The individual categories cannot have the ability to access data in a directory of a different category. Users for each category will need to access the server via samba and NFS. Additional user interfaces my become necessary in the future (http(s), (s)ftp, etc).

I am new to writing SELinux policies and was hoping that someone could point me in the direction of a template for a similar design that I could use as a base.

Thank you,

David
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux