I am putting it in 2 points :
SELinux rules apply after DAC permissions.
Example quote from RH documentation says a Rule permits httpd process to access related web directories and files (/var/www/html & others) , while there is No rule for it to access /var/tmp, /tmp, so it cannot access these.
My point of confusion is that, any process while running, inherits and checks permissions of the user running the process and also use this to access any directories and folders.
httpd runs as root initially and then as other user www-data/apache .
Folders /var/www/html & others already have access permissions for root (rwx) and www-data/apache (r_x)
So what’s the use and role of SELinux Allow rule on this when the same purpose is being solved by DAC permissions (and DAC have precedence over SELinux rules)
Documentation says that SELinux rules/policy are checked after DAC and If DAC is denying then , it doesn’t matter if SELinux rule allows or deny it, as it won’t be checked.
So does this simply imply that SELinux rules are only useful when DAC allows but we want SELinux to block it.
Because in other 2 cases below, we have already DAC permissions doing our job.
(DAC –> allow, SELinux needs to allow)
(DAC –> deny, SELinux needs to deny),