So the questioned config option seems obsolete ?
Wheher LSM always consulted last ?
If an LSM is configured/loaded, it is always consulted *after* applying
standard DAC file permission bits checks. (Discretionary Access Control- the
owner of the file/object is allowed to make their own decisions)
LSMs are always restrictive MAC (Mandatory access control - they are applied by
the system regardless of what the user/owner wants) calls. Restrictive means
they can only prohibit a call that has already passed the DAC check, they
cannot allow a call that would otherwise be failed by DAC.
LSMs are called after DAC checks for a number of reasons. One big one
is that when the LSM hooks were designed, the file permission checks were
(and still are) incredibly cheap - 3-4 opcodes or so. So it makes sense to
do the cheap check first, as things like SELinux or AppArmor take a lot
more cycles to do the check. (There's also a few oddball corner cases where
doing the MAC check first results in non-intuitive results)