I have written up a patch for libselinux to implement two functions, to translate the security level. getselevelbyname getselevelbysename setransconlevel These functions try to dlopen a libsetrans and call the equivalent functions in this library. Currently the patch only changes the *getfilecon function calls use these translations. I have also attached a libsetrans-0.1.0-src.rpm which would be the translation library for MCS. I am not sure if a similar library was proposed by TCS or not, I can not find it. This is a lot simpler than what Ivan proposed last week. Manipulation of securitylevel is to be done by the provider of the translation library (setrans). So that a MLS environment can use the Mitre library to translate, while MCS can use much simpler algorithms. My demo libsetrans does the following * If Security level is S0, remove security level all together. I don't want users seeing this, since it is pretty useless information. It would be nice to get rid of "object_r" also since it takes up terminal space and supplies Zero information. * If a file has a security context other than S0, strip SO: off of it and pass it to the translation function calls. Currently these calls only take a single category. * If there is no translation it returns the category. The categories in MCS are currently just loaded from a flat file /etc/selinux/category.conf. c1=Medical Records c2=Top Secret c3=Company Confidential Eventually this will be configurable so this data could come from an ldap server, maybe it could be rolled into nsswitch. Example output (libselinux has sensivity level s0, install.log.syslog has s0:c2) ls -lZ /root -rw------- root root root:object_r:user_home_t:Top Secret anaconda-ks.cfg -rw-r--r-- root root root:object_r:tmp_t:Medical Records dan -rw-r--r-- root root root:object_r:user_home_t:Top Secret install.log -rw-r--r-- root root root:object_r:user_home_t:c4 install.log.syslog -rw-r--r-- root root root:object_r:user_home_t libselinux-1.24.2-2.src.rpm Comments? Did I reimplement something that others already implemented? Is this what people expect?