Setting resource-sensitivity labels
When an SELinux policy is MLS-enabled and supports multiple sensitivities (which is not the case with MCS, as MCS only has a single sensitivity), then SELinux can govern information flow and access between a domain and one or more resources based on the clearance of the domain and the sensitivity level of the resource. But even with a single sensitivity (as is the case with MCS), SELinux has additional constraint support to ensure that domains cannot access resources that have one of the categories assigned that the domain doesn't have clearance for.
A sensitivity level consists of a sensitivity (s0 is generally being used for the lowest sensitivity and s15—which is a policy build-time constant and thus can be configured—is the highest sensitivity) together with a category set (which can be a list such as c0,c5,c8.c10).
A security clearance is similar to a sensitivity level but shows a sensitivity range (such as s0-s3) instead of a single...
