Some very odd file permission things are going on, and I suspect it has
to do with SELinux.

Files on my webserver can be viewed by anyone even when permissions are
set against them. Take this extreme example, which definately should
NOT be happening:

I have a directory foo/ with owner and group of root. (btw there is
only user root in group root.) Permissions on the directory are set up
as ONLY group executable.
In foo/ i have file bar with owner and group of root. Permissions on
the file are set up as ONLY group readable.

(here is what my ls -laZ in foo/ looks like
d-----x---+ root root rootbject_r:httpd_sys_content_t .
----r-----+ root root rootbject_r:httpd_sys_content_t bar

and when I browse to http://myserver/foo/bar .... I can see file bar!!!
This should NOT be the case! Can someone explain to me why oh why my
httpd daemon can access that file? is it because of the
httpd_sys_content_t? How can I get the to stop happening?

More details: this happens when the user is anything BUT apache (apache
is the user my httpd daemon runs as.) as soon as I chown the directory
and file to apache:apache, I get a '403 Forbidden' error in my browser.

This is so twisted. Help anyone?