http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed between similar types, so Apache running as httpd_t can read /var/www/html/index.html of type httpd_sys_content_t." however the doc doesn't define what "similar types" means. I assumed it just meant "beginning with the same prefix". However that can't be right because on my system with SELinux turned on, httpd runs as type init_t: [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 system_u:system_r:init_t:s0 root 2521 0.1 0.4 21680 8820 ? Ss 05:05 0:00 /usr/sbin/httpd system_u:system_r:init_t:s0 apache 2550 0.0 0.4 23364 8920 ? S 05:05 0:00 /usr/sbin/httpd system_u:system_r:init_t:s0 apache 2551 0.1 0.4 22736 8212 ? S 05:05 0:00 /usr/sbin/httpd and the robots.txt file has type file_t: [root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root system_u:object_r:file_t:s0 /var/www/html/robots.txt but Apache can of course access that file. So in Type Enforcement, what determines what process type can access what file type? Bennett