This is not that easy. MCS Separation requires coordination between the
process and the data. You need an MCS manager to set the labels on the
data and on the process.
For example libvirt uses MCS Separation. Before launching a process it
labels all of the image content with a unique MCS label, then launches
the VM (qemu) process with a matching MCS Label.
In order to get what separation in your case you would have to have a
controller launching the different services with MCS labels.
On 08/25/2014 08:40 AM, David Compton wrote:
I am considering using SELinux to secure the file system of a server
that will be used as a multiple category file store. The individual
categories cannot have the ability to access data in a directory of a
different category. Users for each category will need to access the
server via samba and NFS. Additional user interfaces my become
necessary in the future (http(s), (s)ftp, etc).
I am new to writing SELinux policies and was hoping that someone could
point me in the direction of a template for a similar design that I
could use as a base.
selinux mailing list