|
One of the security features of SELinux is that each process runs in it's own username space.
For targeted policy, these are listed in the Security / Firewall gui.
For Strict policy, it get very complex as every tak is running in a seperate usernam space.
The httpd user has a context of http_t, don would have user_t, root has system_t
user don can not put anything into http - access denied.
(Since you did, this means /www/don dir is reality owned by don. - not allowed in httpd space.)
When the mv command is used the destination retains the context of the files.
If cp is used the files take on the context of the destination.
So http, don, and anyother regular user can not access the others files, change permissions or security context.
So how do you get files into other user names space.
SU -
password
root@domain
This is the guy that owns everything and via using a cp the files take on the context of the destination.
What is NOT seen is that in targeted policy switching to root is like an implied ROLE of admin AND Webadin.
In strick mode policy one may automatically be defined to be one of the several roles in the policy.
Or, for example, the main guy, i.e. = you, can be root, change to the role of admin, or go lower and change to the role of webadmin.
When one person is responsible for many functions, it's a matter of trusted policy and the one person following good security practice, i.e. change to webadmin before cp in root so (S)he doesn't screw up too much.
For you problem, make www/don and sub dir's owned by httpd
and cp with root (implied ROLE webadmin)
chown -R httpd:httpd /www/don
chmod as needed after the cp from /home/don
There is a provision for using html in a user dir but it is much less secure and puts both users (httpd and don) at risk.
Same type of thing for cgi scripts - only cp with root into www/cgi (And PHP)
SJ
__________________
Do the Math
|
Solved
Hybrid Mode
