httpd newbie / access denied, no permission to ~userid

[Les Mikesell]

On Wed, 2005-08-17 at 08:59, Tim wrote:

> > If you don't want two different security checks you can disable
> > SELinux and run the way unix systems have for decades.
> 
> I have, on one system.  But perhaps I should be more explicit:  If, *I*
> set something as world readable, apart from I feel that it ought to do
> precisely what I just set it as, why cannot the system also be able to
> set the appropriate SELinux restrictions at the same time?

I think you are missing the point of SELinux, which is that it works
independently from traditional file access control settings.  The idea
is to catch unexpected things, even if they happen because you set
something wrong.  That is, the purpose of running it is to second-guess
everything else.  It that isn't what you want, don't run it.  Don't
forget that your SELinux policy is just as much *your* setting and
under *your* control as the file permission modes even though the
defaults came with the distribution.  It is doing exactly what you've
told it to do.


> >> If we set something as world
> >> readable, let the system actually apply that setting (it should also set
> >> appropriate SELinux restrictions for you).
> 
> > 'Appropriate' SELinux relate to the process involved, not the files so
> > this is impossible.
> 
> I still don't see any reason why something that's world readable also
> needs further configuration to say "this also means you".  World
> readable ought to mean anybody and anything can read that file.

It does, unless you have told SELinux that certain processes have
to follow a different policy, which you have obviously done.
If it hurts, don't do it....

-- 
  Les Mikesell
    lesmikesell at gmail.com