Agreed. And I would like to go further -- in some contexts there are
requirements that after a program has touched a certain class of file
it is henceforth not allowed to write into another class of file.
I.e. the program isn't going to be allowed to reclassify sensitive
data from one level to another.
This is a fairly dynamic kind of safe environment, where the access
rights depend on the sequence of previous actions.
(This kind of thing may reflect my work with governmental and military
based security policies and may be too much for commercial use.
However, I would submit for discussion, that there may be need for
this kind of flexibility.)
--karl--