| Updated: October 28, 2024 |
All system paths have permissions associated with them that determine if you can open them for read or write. These permissions can be considered to be, more generally, “low privilege” and “high privilege” access, respectively. Thus, when you're dealing with files, the ability to read the contents is the specific meaning of low privilege, and the ability to change or delete the contents is the specific meaning of high privilege. For non-file resources, which can be associated with a wide variety of actions, these permissions give you two levels of privilege for enforcement, but they don't necessarily correspond to read and write access.
Thus, testing for read or write access is useful regardless of whether reading or writing are relevant to the resource.
If you need greater granularity than checking for high or low privilege, you can use custom process manager abilities (go to “Custom abilities” in the “Abilities” section) or custom security policy permissions and types (go to “Customizing permissions using a security policy” in the “The libsecpol API” chapter).