On Thursday 11 December 2008 21:44:39 Gregory Stark wrote:
> > Because we want to use SQL-based row access control and SELinux-based row
> > access control at the same time. Isn't this exactly one of the
> > objections upthread? Both must be available at the same time.
>
> Well I don't think anyone would actually want them *at the same time*.
> Combining multiple security models would mean you aren't actually following
> any security model.
That doesn't follow. Using DAC and MAC together is quite standard. Even if
your kernel is SELinux-enabled and has a policy, you'd still want to use
normal permission bits. Same difference here.