--- Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > > --- cinthya aranguren <cinthya.aranguren@xxxxxxxxx> wrote: > > > Hi, > > > > Is there any way to avoid o remove DAC controls ? I'd like to have only one > > security scheme in my system. I mean a pure SElinux system. not DAC + MAC. > > only MAC. > > No. > > Well, not today. I will add that if every process runs with CAP_DAC_OVERRIDE set you can approach "no DAC", but I think you would probably have to dig very deeply into the behavior of security cognizant applications (sendmail comes to mind) and make sure that they aren't explictly dropping that capability. I will let those who work more closely with SELinux policy than I do describe how capabilities possessed are related to an SELinux policy and how that might impact the behavior of SELinux. You should also note that SELinux takes what are traditionally DAC attributes into account when making decisions and that if you use MCS you are using a DAC mechanism within SELinux. I'm not saying that's bad, just that it's there. Casey Schaufler casey@xxxxxxxxxxxxxxxx -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
