php error log policy
Dominick Grift
dominick.grift at gmail.com
Sat Sep 24 07:47:52 UTC 2011
On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote:
> On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:
>
> > On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
> >> Hi,
> >>
> >> php module has a capability to write errors to a log file.
> >> Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
> >>
> >> error_log = /var/log/php/php_error.log
> >>
> >> in RHEL6 I can find an existing context suitable for this though.
> >
> > I guess httpd_sys_content_rw_t
>
> which logrotate doesn't have access to.
I guess i would temporarily use public_content_rw_t and allow httpd-t
and logrotate the need acess to it, i would file a bugzilla, and when a
fix is implemented remove the public_content_rw_t workaround
>
> >
> >> I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
> >
> > It just should not open the file for write. We dont want webapps to be
> > able to erase log trails.
> >
> >> Shall I open a bugzilla request or there is something I overlooked?
> >
> > No, use httpd_sys_content_rw_t or fix the web app to open the log file
> > for append only (latter recommended)
>
> I agree, but this would require fix from php developers or Redhat
>
> Cheers,
> Vadym
>
>
> >
> >> Thanks,
> >> Vadym
> >>
> >> --
> >> selinux mailing list
> >> selinux at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/b06ee20a/attachment.bin
More information about the selinux
mailing list