Re: httpd newbie / access denied, no permission to ~userid
From: Les Mikesell (lesmikesell_at_gmail.com)
To: For users of Fedora Core releases <email@example.com> Date: Tue, 16 Aug 2005 09:42:18 -0500
On Tue, 2005-08-16 at 08:39, Tim wrote:
> > "world readable" is a DAC based permission model. SELinux is MAC based.
> > see Fedora SELinux FAQ on this. The whole point of SELinux is to
> > restrict operations based on the process above and top of the classic
> > Linux permissions
> Be that as it may, it's counterintuitive: Why should we have to set
> permissions in two different ways?
If you don't want two different security checks you can disable
SELinux and run the way unix systems have for decades.
> If we set something as world
> readable, let the system actually apply that setting (it should also set
> appropriate SELinux restrictions for you).
'Appropriate' SELinux relate to the process involved, not the files so
this is impossible.
> Owner permissions are one thing. But setting something as world
> readable ought to be treated just as you intended.
It is. If you run SELinux it means you intend for it to add the
SELinux access controls in addition to the file based ones. If
that isn't what you want, disable it (and reboot...).
-- Les Mikesell firstname.lastname@example.org -- fedora-list mailing list email@example.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list