资料内容:
SELinux versus regular DAC
SELinux does not change the Linux DAC implementation, nor can it override denials
made by the Linux DAC permissions. If a regular system (without SELinux) prevents
a particular access, there is nothing SELinux can do to override this decision. This is
because the LSM hooks are triggered after the regular DAC permission checks have
been done.
If you need to allow an additional user access to a file, you will need to look into
other features of Linux such as the use of POSIX Access Control Lists through the
setfacl and getfacl commands. These allow the user (not only the administrator!)
to set additional access controls on files and directories, opening up the provided
permission to additional users or groups.
