Real value of MAC models in Linux
I have read about MAC vs. DAC in the Internet, but I still fail to understand, what kind of attack it is impossible to protect against if one only uses DAC+capabilities in comparison to MAC+DAC+capabilities. If a process does not run as root and lacks CAP_DAC_OVERRIDE, CAP_FOWNER and other dangerous capabilities, it cannot overcome the already assigned ownership and ACL's of the resources it uses. On the other hand, if a process runs as root and has CAP_MAC_ADMIN, it can overwrite the security context enforced by MAC.
So is MAC "just additional layer of protection" without any real advantage on modern Linux system?
Update1 I will add here my "answers" to particular arguments here. I assume none of the processes run as root and have unnecessary capabilities (except for the system startup processes/scripts).
An argument: you can protect a web-server from running arbitrary shell-commands.
Answer: (Putting containerized web-apps aside,) one could add an allowing ACL for all commands the server UID/GID can access, and a forbidding ACL to the rest of the commands on the host.
An argument: a user can have a file with permissions 0777 [and essentially leak it to everyone in the system].
Answer: The system startup script can set default ACL to the directory where this file is created, so that whatever the user process creates in that directory will always get those ACL's inherited. In general having 7 in "others" seems like a bad idea and if the file gets such permissions, the discretionary policy could be enforced here at system rollout (distribution installation), or even at startup every time the system boots.
