Why can't I modify a file whose group I belong to?
 

I have a file with group write status which belongs to group "phped". I expected to be able to delete it with a user that belongs to the same group, but cannot do so. I later tried to edit it using vi, however, similarly was not able to do so.

Please explain what is happening.

Thank you

-rwxrwxr-x. the "." should be a good indaction... Its a SELinux ACL

To remove it run the following in the directory

Ah, so it is a selinux thing. Note my original post I showed how selinux is in permissive mode. Wouldn't this allow it to go through?

I tried your code, and no success.
I am not as interested in removing it than I am in understanding what is happening. I looked at files and directories in other areas, and they all have that trailing dot. Meaning they all have selinux ACL?

I just looked at http://wiki.centos.org/HowTos/SELinux, and it appears to confirm that permissive mode should not enforce security policy. Still think it is a selinux issue?

Thanks!

Yes the trailing dot means SELINUX based ACL (where a + indcates a standard ACL)
Policy and SELINUX ACLS are different, you can't turn off SELINUX ACLS you can remove them from the permissions bits but their not no blaket remove all function.

What dictro are you running?

Centos 6. I still don't understand why selinux would be enforcing if in permissive mode.

Try this disable SELINUX entirely, now do a reboot and see if the permissions are fixed. (see if you can access your files r/w) if you can just get rid of SELINUX entirely, if you want the added nonsense of 'restorecon and all the other wonderful things SELINUX bringd to the table, I myself am not a fan of SELINUX and have often went with (in my opinion better) PaX/GreSecrity patches and tools.

Then how come I can edit files (on Centos 6.6) without having modified SELinux in any way and under the same circumstances? (group permissions and that dot at the end of the file when I list them with ls -l) Actually, when I write ls -l, ALL files have a dot at the end. What is that supposed to mean? I've never had any problems with permissions.

@NotionCommotion
I am going to ask you a stupid question: you did login in again, right? Whenever you add a user to a group, you need to relogin in order for /etc/group to be reread, otherwise you don't have the respective permissions.

P.S. My current SELinux mode is 'enforcing'

ACLs are not a SELinux thing. They are a property of the filesystem that the kernel supports. And the "." indicates there is no ACL list.

One thing that can prevent your deletion of /var/www/main/user_resources/documents/parent_dir/child_dir is that you need write access to /var/www/main/user_resources/documents.

This is because you are removing a file name from the directory - and that means you must be able to write to it. You might check that the group permissions (as well as group ownership) of the documents directory permit read/write/search (the x on directories).

I am going to request that they change the name of this forum from Newbie to Idiot. Thank you, I guess I never realized doing so was required, but I am certain I will never forget.

Don't beat yourself up to badly ... I doubt there is anyone on this forum who has not made a similar oversight in the last couple of months :)

You are correct though ... you only have to make certain errors once and you have learnt them for a life time :D

This is not a selinux issue. Removing a file from a directory requires write permission on the directory itself. The permissions on the actual file to be removed are irrelevant. Conceptually, a directory is just a file that contains a list of other filenames. Adding or removing a file in a directory requires write permission to that list of filenames.

So was that it?

The reason I gave you that advice was because I myself have made that mistake and I've struggled in vain for a while until I realised that was the problem :)

Yup. I appreciate the help.