httpd newbie / access denied, no permission to ~userid
Rahul Sundaram
sundaram at redhat.com
Wed Aug 17 14:09:17 UTC 2005
Hi
> But perhaps I should be more explicit: If, *I*
>set something as world readable, apart from I feel that it ought to do
>precisely what I just set it as, why cannot the system also be able to
>set the appropriate SELinux restrictions at the same time?
>
>
A good question. This goes back to the fundamental concept of SELinux.
Its based on objects ( read it as processes for simplicity). The
traditional form of Linux security is based on users. Users can set
their files to world readable and it becomes "world readable". This can
be a potential security issue. SELinux policies sit on top of
traditional security checks as a additional layer and puts control on
the hands of the administrator. So if the policies controlled by the
administrator restrict access, it follows that instead of the classical
file permissions. You could have SELinux tools read file permissions
and ignore the policies when its set to world readable, but that would
compromise on the whole object based security model of SELinux.
regards
Rahul
More information about the fedora-list
mailing list