From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 10 Apr 2013 08:48:21 -0400 Subject: [refpolicy] MCS Policy Constraints In-Reply-To: References: Message-ID: <51655F95.50800@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/09/13 16:10, Douglas Brown wrote: > Hi all, > > The MCS policy has only file, database and one network-related class constraint. I'm sure this is deliberate by design, however I'd like to know if there's any impediment to adding category domain separation for all the classes in the MLS policy to the MCS policy and if I may submit a patch to do so? There isn't a problem adding constraints to the other object classes. However, the MCS policy is intended by design to be simple and only cover files and DB, so the patch would not be accepted. If you're looking for comprehensive object class coverage with MCS, it might be sufficient to use the MLS policy but configure it with only 1 sensitivity (set MLS_SENS in build.conf). -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com