httpd newbie / access denied, no permission to ~userid

Les Mikesell lesmikesell at gmail.com
Tue Aug 16 14:42:18 UTC 2005


On Tue, 2005-08-16 at 08:39, Tim wrote:

> > "world readable" is a DAC based permission model. SELinux is MAC based. 
> > see Fedora SELinux FAQ on this. The whole point of SELinux is to 
> > restrict operations based on the process above and top of the classic 
> > Linux permissions
> 
> Be that as it may, it's counterintuitive:  Why should we have to set
> permissions in two different ways?

If you don't want two different security checks you can disable
SELinux and run the way unix systems have for decades.

> If we set something as world
> readable, let the system actually apply that setting (it should also set
> appropriate SELinux restrictions for you).

'Appropriate' SELinux relate to the process involved, not the files so
this is impossible.

> Owner permissions are one thing.  But setting something as world
> readable ought to be treated just as you intended.

It is.  If you run SELinux it means you intend for it to add the
SELinux access controls in addition to the file based ones.  If
that isn't what you want, disable it (and reboot...).

-- 
  Les Mikesell
   lesmikesell at gmail.com





More information about the fedora-list mailing list