<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Sep 25, 2011, at 2:28 PM, Miroslav Grepl wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
On 09/24/2011 09:47 AM, Dominick Grift wrote:
<blockquote cite="mid:1316850472.1931.47.camel@x220.mydomain.internal" type="cite">
<pre wrap="">On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
php module has a capability to write errors to a log file.
Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
error_log = /var/log/php/php_error.log
in RHEL6 I can find an existing context suitable for this though.
</pre>
</blockquote>
<pre wrap="">I guess httpd_sys_content_rw_t
</pre>
</blockquote>
<pre wrap="">which logrotate doesn't have access to.
</pre>
</blockquote>
</blockquote>
Vadym, <br>
please open a new bug with AVC, which you see, on selinux-policy
component on RHEL6 and I will move it further. <br></div></blockquote><div><br></div><div><br></div><div>Miroslav,</div><div><br></div><div>I would be happy to, but what context to you want me to apply to /var/log/php before collecting AVCs ?</div><div><br></div><div>Thank you,</div><div>Vadym</div><div><br></div><div><br></div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">
<br>
Thank you.<br>
<br>
Regards,<br>
Miroslav<br>
<span class="r"></span>
<blockquote cite="mid:1316850472.1931.47.camel@x220.mydomain.internal" type="cite">
<pre wrap="">I guess i would temporarily use public_content_rw_t and allow httpd-t
and logrotate the need acess to it, i would file a bugzilla, and when a
fix is implemented remove the public_content_rw_t workaround
</pre>
<blockquote type="cite">
<pre wrap=""></pre>
<blockquote type="cite">
<pre wrap=""></pre>
<blockquote type="cite">
<pre wrap="">I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
</pre>
</blockquote>
<pre wrap="">It just should not open the file for write. We dont want webapps to be
able to erase log trails.
</pre>
<blockquote type="cite">
<pre wrap="">Shall I open a bugzilla request or there is something I overlooked?
</pre>
</blockquote>
<pre wrap="">No, use httpd_sys_content_rw_t or fix the web app to open the log file
for append only (latter recommended)
</pre>
</blockquote>
<pre wrap="">I agree, but this would require fix from php developers or Redhat
Cheers,
Vadym
</pre>
<blockquote type="cite">
<pre wrap=""></pre>
<blockquote type="cite">
<pre wrap="">Thanks,
Vadym
--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a>
</pre>
</blockquote>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a>
</pre>
</blockquote>
<pre wrap=""></pre>
</blockquote>
<pre wrap=""></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></body></html>