I have some questions about levelFromUid and mlstrustedsubject. My understanding is that levelFromUid will add two categories to an app's context, such as "c1,c256". MLS constraints make sure a subject cannot access an object with "c1, c256" if itself doesn't contain "c1" and "c256", unless it is a mlstrustedsubject. But the subject with "c1, c256" should be able to access an object without any categories.
When I look at seapp_contexts, only untrusted_app has levelFromUid=true. So only untrusted_app will have the added categories. MLS constraints will not deny untrusted_app to access files of platform_app, release_app, and etc. This seems a little weird since the files of platform_app and other apps are not protected from untrusted_app. Actually it seems the policy wants untrusted_app to access those files since untrusted_app is put into appdomain. So do we only want app isolation between untrusted_apps? Also, why only platform_app is given the mlstrustedsubject attribute? Is it because only platform_app may need to access files of untrusted_app sometime? Thanks, Pai
