Hi,
php module has a capability to write errors to a log file. Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
error_log = /var/log/php/php_error.log
in RHEL6 I can find an existing context suitable for this though. I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
Shall I open a bugzilla request or there is something I overlooked?
Thanks, Vadym
On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
Hi,
php module has a capability to write errors to a log file. Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
error_log = /var/log/php/php_error.log
in RHEL6 I can find an existing context suitable for this though.
I guess httpd_sys_content_rw_t
I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
It just should not open the file for write. We dont want webapps to be able to erase log trails.
Shall I open a bugzilla request or there is something I overlooked?
No, use httpd_sys_content_rw_t or fix the web app to open the log file for append only (latter recommended)
Thanks, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:
On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
Hi,
php module has a capability to write errors to a log file. Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
error_log = /var/log/php/php_error.log
in RHEL6 I can find an existing context suitable for this though.
I guess httpd_sys_content_rw_t
which logrotate doesn't have access to.
I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
It just should not open the file for write. We dont want webapps to be able to erase log trails.
Shall I open a bugzilla request or there is something I overlooked?
No, use httpd_sys_content_rw_t or fix the web app to open the log file for append only (latter recommended)
I agree, but this would require fix from php developers or Redhat
Cheers, Vadym
Thanks, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote:
On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:
On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
Hi,
php module has a capability to write errors to a log file. Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
error_log = /var/log/php/php_error.log
in RHEL6 I can find an existing context suitable for this though.
I guess httpd_sys_content_rw_t
which logrotate doesn't have access to.
I guess i would temporarily use public_content_rw_t and allow httpd-t and logrotate the need acess to it, i would file a bugzilla, and when a fix is implemented remove the public_content_rw_t workaround
I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
It just should not open the file for write. We dont want webapps to be able to erase log trails.
Shall I open a bugzilla request or there is something I overlooked?
No, use httpd_sys_content_rw_t or fix the web app to open the log file for append only (latter recommended)
I agree, but this would require fix from php developers or Redhat
Cheers, Vadym
Thanks, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 09/24/2011 09:47 AM, Dominick Grift wrote:
On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote:
On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:
On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
Hi,
php module has a capability to write errors to a log file. Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
error_log = /var/log/php/php_error.log
in RHEL6 I can find an existing context suitable for this though.
I guess httpd_sys_content_rw_t
which logrotate doesn't have access to.
Vadym, please open a new bug with AVC, which you see, on selinux-policy component on RHEL6 and I will move it further.
Thank you.
Regards, Miroslav
I guess i would temporarily use public_content_rw_t and allow httpd-t and logrotate the need acess to it, i would file a bugzilla, and when a fix is implemented remove the public_content_rw_t workaround
I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
It just should not open the file for write. We dont want webapps to be able to erase log trails.
Shall I open a bugzilla request or there is something I overlooked?
No, use httpd_sys_content_rw_t or fix the web app to open the log file for append only (latter recommended)
I agree, but this would require fix from php developers or Redhat
Cheers, Vadym
Thanks, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Sep 25, 2011, at 2:28 PM, Miroslav Grepl wrote:
On 09/24/2011 09:47 AM, Dominick Grift wrote:
On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote:
On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:
On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
Hi,
php module has a capability to write errors to a log file. Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
error_log = /var/log/php/php_error.log
in RHEL6 I can find an existing context suitable for this though.
I guess httpd_sys_content_rw_t
which logrotate doesn't have access to.
Vadym, please open a new bug with AVC, which you see, on selinux-policy component on RHEL6 and I will move it further.
Miroslav,
I would be happy to, but what context to you want me to apply to /var/log/php before collecting AVCs ?
Thank you, Vadym
Thank you.
Regards, Miroslav
I guess i would temporarily use public_content_rw_t and allow httpd-t and logrotate the need acess to it, i would file a bugzilla, and when a fix is implemented remove the public_content_rw_t workaround
I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
It just should not open the file for write. We dont want webapps to be able to erase log trails.
Shall I open a bugzilla request or there is something I overlooked?
No, use httpd_sys_content_rw_t or fix the web app to open the log file for append only (latter recommended)
I agree, but this would require fix from php developers or Redhat
Cheers, Vadym
Thanks, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org
-
Dominick Grift -
Miroslav Grepl -
Vadym Chepkov