When a discretionary or mandatory access check fails on a file system object, the process can assert privilege to bypass security policy, or raise an error if the task should not be allowed at the current label or for that user.
Discretionary access is enabled as follows:
Search access to all directories in the path preceding the final file system object is enabled when the process asserts the file_dac_search privilege.
Read access to the final object is enabled when the process asserts the file_dac_read privilege.
Write access to the final object is enabled when the process asserts the file_dac_write privilege.
Execute access to the final object is enabled when the process asserts the file_dac_execute privilege.
Mandatory access is enabled as follows:
Search access to all directories in the path preceding the final file system object is enabled when the process asserts the file_mac_search privilege.
Read access (including execute access) to the final object is enabled when the process asserts the file_mac_read privilege.
Write access to the final object is enabled when the process asserts the file_mac_write privilege.
Create access to the final object is enabled when the process asserts the file_mac_write privilege.