php error log policy
Vadym Chepkov
vchepkov at gmail.com
Sat Sep 24 01:03:19 UTC 2011
On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:
> On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
>> Hi,
>>
>> php module has a capability to write errors to a log file.
>> Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
>>
>> error_log = /var/log/php/php_error.log
>>
>> in RHEL6 I can find an existing context suitable for this though.
>
> I guess httpd_sys_content_rw_t
which logrotate doesn't have access to.
>
>> I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
>
> It just should not open the file for write. We dont want webapps to be
> able to erase log trails.
>
>> Shall I open a bugzilla request or there is something I overlooked?
>
> No, use httpd_sys_content_rw_t or fix the web app to open the log file
> for append only (latter recommended)
I agree, but this would require fix from php developers or Redhat
Cheers,
Vadym
>
>> Thanks,
>> Vadym
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list