--- Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > This is a good point. I will experiment with CAP_DAC_OVERRIDE. > > but .. why SELinux take DAC attributes into account when making > > decisions ?? this does not violate the separation of "policy" from > > "Enforcement" ?? > > SELinux does not use the DAC attributes (uid, gid, mode bits) as part of > its decision. I stand corrected. Somehow I thought that uids came into the equation, but I guess I was wrong. > SELinux does however control the use of capabilities/privileges in > accordance with its policy. And it does have a notion of user identity > in its security context, although that is separately managed and is > usually used just as a "role set" construct in modern SELinux (e.g. > staff_u authorized for staff_r and sysadm_r). That's were I was confusing things, the security context uid being a component of the policy that is maintained in addition to the traditional uid. Thank you for the clarification. Casey Schaufler casey@xxxxxxxxxxxxxxxx -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.