On Friday 12 December 2008 19:31:11 Robert Haas wrote:
> Not really. I'm not an SELinux expert. But typically the two do
> exist alongside one another. For example, installing SELinux (MAC)
> does on your system does not make "chmod g+w file" (DAC) stop working;
> it merely performs an ADDITIONAL security check before allowing access
> to the file. You have to satisfy BOTH SELinux AND the ordinary
> filesystem permissions system in order to perform an operation on a
> file.
The MAC permissions are usually set up globally (in some cryptic file) and
apply mandatorily (= M). So a rule might say, a file named topsecret.pdf can
only be stored in a certain place, can only be read by certain people, can
only be opened by a special viewer, cannot be copied and pasted out of, etc.
And there is nothing you can do about it, even if you own the file (short of
changing the global policy).
The DAC permissions are set up by the object owner at their discretion (= D).
So if you write a draft.odt and want your group to look at it, you do a chgrp
g+r or whatever, as you want. It would be silly in this case to have to
request a global MAC policy change for every such step.
> The contention of the author of this patch is that row-level access is
> somehow different - that even though we have two sets of checks for
> files, tables, and (assuming Stephen Frost's patch is accepted)
> columns, we will only have one set of checks for rows, and you can
> pick which one you want.
Yes, that is the part that is puzzling me as well.
