php error log policy
Dominick Grift
dominick.grift at gmail.com
Fri Sep 23 12:03:22 UTC 2011
On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
> Hi,
>
> php module has a capability to write errors to a log file.
> Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
>
> error_log = /var/log/php/php_error.log
>
> in RHEL6 I can find an existing context suitable for this though.
I guess httpd_sys_content_rw_t
> I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
It just should not open the file for write. We dont want webapps to be
able to erase log trails.
> Shall I open a bugzilla request or there is something I overlooked?
No, use httpd_sys_content_rw_t or fix the web app to open the log file
for append only (latter recommended)
> Thanks,
> Vadym
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110923/25799e2d/attachment.bin
More information about the selinux
mailing list