The only use case I can think of to justify the vast additional complexity of MLS is when you need to confine access to resources based on a very specific organisational information flow policy. The MLS policy isn't necessarily more 'secure' than MCS, it's just enforces a different information flow policy (domain separation rather than Bell-LaPadula).If you'd like to harden the machine and restrict access to splunk resources, I would:
- Write policy for Splunk then remove all unconfined domains (see section in: http://danwalsh.livejournal.com/42394.html)
- Run splunk in its own category
- Change default user/login clearances as appropriate to restrict access to splunk
- Depending on whether or not your network is labelled or not you might consider using SECMARK or netlabel to restrict network access to splunk
Hypothetically, you could run multiple instances of splunk in different categories on the same machine for each index if required.