<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/24/2011 09:47 AM, Dominick Grift wrote:
<blockquote
cite="mid:1316850472.1931.47.camel@x220.mydomain.internal"
type="cite">
<pre wrap="">On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
php module has a capability to write errors to a log file.
Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
error_log = /var/log/php/php_error.log
in RHEL6 I can find an existing context suitable for this though.
</pre>
</blockquote>
<pre wrap="">
I guess httpd_sys_content_rw_t
</pre>
</blockquote>
<pre wrap="">
which logrotate doesn't have access to.
</pre>
</blockquote>
</blockquote>
Vadym, <br>
please open a new bug with AVC, which you see, on selinux-policy
component on RHEL6 and I will move it further. <br>
<br>
Thank you.<br>
<br>
Regards,<br>
Miroslav<br>
<span class="r"></span>
<blockquote
cite="mid:1316850472.1931.47.camel@x220.mydomain.internal"
type="cite">
<pre wrap="">
I guess i would temporarily use public_content_rw_t and allow httpd-t
and logrotate the need acess to it, i would file a bugzilla, and when a
fix is implemented remove the public_content_rw_t workaround
</pre>
<blockquote type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
</pre>
</blockquote>
<pre wrap="">
It just should not open the file for write. We dont want webapps to be
able to erase log trails.
</pre>
<blockquote type="cite">
<pre wrap="">Shall I open a bugzilla request or there is something I overlooked?
</pre>
</blockquote>
<pre wrap="">
No, use httpd_sys_content_rw_t or fix the web app to open the log file
for append only (latter recommended)
</pre>
</blockquote>
<pre wrap="">
I agree, but this would require fix from php developers or Redhat
Cheers,
Vadym
</pre>
<blockquote type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Thanks,
Vadym
--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a>
</pre>
</blockquote>
<pre wrap="">
--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</body>
</html>