<div xmlns="http://www.w3.org/1999/xhtml">One of the  choices of security options proposes to select default security</div><div xmlns="http://www.w3.org/1999/xhtml">CONFIG_DEFAULT_SECURITY</div><div xmlns="http://www.w3.org/1999/xhtml">User can select  traditional Unix DAC or one of LSMs.</div><div xmlns="http://www.w3.org/1999/xhtml">Suppose CONFIG_DEFAULT_SECURITY_DAC=y  selected.</div><div xmlns="http://www.w3.org/1999/xhtml">I wonder how it affects LSM policy decisions?</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">Lets take file permissions</div><div xmlns="http://www.w3.org/1999/xhtml">file fs/namei.c, kernel 4.8</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">__inode_permission ---> do_inode_permission --> generic_permission :</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml"><div>/*</div><div>         * Do the basic permission checks.</div><div>         */</div><div>        ret = acl_permission_check(inode, mask);</div><div>     <div>       if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))</div><div>                        return 0;</div><div> </div><div>         <div>do_inode_permission(inode, mask);</div><div>        if (retval)</div><div>                return retval;</div><div> </div><div>       ...</div><div> </div><div>        retval = devcgroup_inode_permission(inode, mask);</div><div>        if (retval)</div><div>                return retval;</div><div> </div><div>        return security_inode_permission(inode, mask);</div></div></div><div> </div></div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">from reading the code we see that first file ACL is consulted, then unix UID/GID then</div><div xmlns="http://www.w3.org/1999/xhtml">capabilties and finally security_inode_permissions, i.e LSM</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">So the questioned config option seems obsolete ?</div><div xmlns="http://www.w3.org/1999/xhtml">Wheher LSM always consulted last ?</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">Am I write ? Perhaps I miss another code path?</div><div xmlns="http://www.w3.org/1999/xhtml"> </div>