The only use case I can think of to justify the vast additional complexity of MLS is when you need to confine access to resources based on a very specific organisational information flow policy. The MLS policy isn't necessarily more 'secure' than MCS, it's just enforces a different information flow policy (domain separation rather than Bell-LaPadula).

If you'd like to harden the machine and restrict access to splunk resources, I would:

Write policy for Splunk then remove all unconfined domains (see section in: http://danwalsh.livejournal.com/42394.html)
Run splunk in its own category
Change default user/login clearances as appropriate to restrict access to splunk
Depending on whether or not your network is labelled or not you might consider using SECMARK or netlabel to restrict network access to splunk

Hypothetically, you could run multiple instances of splunk in different categories on the same machine for each index if required.

Cheers,

Doug

From: Robert Gabriel <ephemeric@gmail.com>
Date: Thursday, 4 July 2013 2:42 AM
To: Doug Brown <d46.brown@student.qut.edu.au>
Cc: "selinux@lists.fedoraproject.org" <selinux@lists.fedoraproject.org>
Subject: Re: SELinux MLS

On 3 July 2013 13:32, Douglas Brown <d46.brown@student.qut.edu.au> wrote:

Full splunk or just the universal forwarder? Interested to know how you go.

Full Splunk but it's going to take me forever.

Found this in the meantime:

http://riffraff169.wordpress.com/2011/11/22/splunk-and-selinux/