On Fri, 2004-04-02 at 12:37, James Morris wrote: > On Fri, 2 Apr 2004, Dax Kelson wrote: > > > Speaking of which, how does SELinux file permissions interact with a > > directory that has a default ACL applied? > > SELinux only provides additional restrictions to existing DAC logic, so if > the ACL says "ok", SELinux can still override it. If the ACL says "no", > access will be denied before SELinux is invoked. Let me explain in more detail. I can set a default ACL on a directory so that any new files/directories created within that directory are writable by users joe, mike and sally and the groups hr and sales in addition to the standard uid and gid of the file (with permissions determined by the umask). It's more flexible than that even. The additional users and groups can each have unique permissions (rwx, r-x, rw-, etc). That's pretty darn cool and makes it so that the user-private-group scheme is no longer needed. So how do the SELinux file contexts interact? I guess I should go grok all this so I can answer my own questions. :) I have a couple projects to get done, then SELinux is next on the list. Dax Kelson Guru Labs