On 7/31/19 11:00 AM, Toby Thain wrote:
> It may not address "all aspects" since it has been necessary for some 
> purposes to extend the permission model substantially over time, such 
> as ACLs, SELinux, etc.

I thought that ACLs acted as additional gates / restriction points 
beyond what standard Unix file system permissions allowed.  Meaning that
ACLs couldn't /add/ permission, but they could /remove/ permission.

I think SELinux behaves similarly.  It blocks (removes) existing 
permissions.  Beyond that, I think SELinux is filtering (removing) 
permissions when comparing what (who) is running combined with what is 
being run further combined with what it is being run against.  So again, 
removing existing permissions.

The only thing that I'm aware of that actually /adds/ permissions is the 
capability subsystem.  It can give an unprivileged user the ability to 
run a binary that can bind to a port below 1024.



-- 
Grant. . . .
unix || die