MCS labels not being enforced

[Mario Rosic]

Hello,

I have trouble understanding how MCS labels work, they are not being
enforced on my RHEL7 system even though selinux is "enforcing" and the
policy used is "targeted". I don't think I should be able to access
those files:

backup at test ~ $ ls -lZ /tmp/accounts-users /tmp/accounts-admin
-rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c3
/tmp/accounts-admin
-rw-rw-r--. backup backup guest_u:object_r:user_tmp_t:s0:c99
/tmp/accounts-users
backup at test ~ $ id
uid=1000(backup) gid=1000(backup) groups=1000(backup)
context=guest_u:guest_r:guest_t:s0:c1

root at test ~ # getenforce
Enforcing

I can still access them even though they have different labels (c3 and
c99 as opposed to my user having c1).
backup at test ~ $ cat /tmp/accounts-users
domenico balance: -30
backup at test ~ $ cat /tmp/accounts-admin
don't lend money to domenico

Am I missing something?

More info:
# semanage user -l                   
SELinux User    Prefix     MCS Level  MCS Range                     
SELinux Roles
guest_u         user       s0         s0-s0:c0.c10                   guest_r

# semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service
__default__          user_u               s0                   *
backup            guest_u              s0:c1                *

Regards,
Mario R