php error log policy

Miroslav Grepl mgrepl at redhat.com
Sun Sep 25 18:28:18 UTC 2011 

On 09/24/2011 09:47 AM, Dominick Grift wrote:
> On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote:
>> On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:
>>
>>> On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
>>>> Hi,
>>>>
>>>> php module has a capability to write errors to a log file.
>>>> Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
>>>>
>>>> error_log = /var/log/php/php_error.log
>>>>
>>>> in RHEL6 I can find an existing context suitable for this though.
>>> I guess httpd_sys_content_rw_t
>> which logrotate doesn't have access to.
Vadym,
please open a new bug with AVC, which you see, on selinux-policy 
component on RHEL6 and I will move it further.

Thank you.

Regards,
Miroslav
> I guess i would temporarily use public_content_rw_t and allow httpd-t
> and logrotate the need acess to it, i would file a bugzilla, and when a
> fix is implemented remove the public_content_rw_t workaround
>
>>>> I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
>>> It just should not open the file for write. We dont want webapps to be
>>> able to erase log trails.
>>>
>>>> Shall I open a bugzilla request or there is something I overlooked?
>>> No, use httpd_sys_content_rw_t or fix the web app to open the log file
>>> for append only (latter recommended)
>> I agree, but this would require fix from php developers or Redhat
>>
>> Cheers,
>> Vadym
>>
>>
>>>> Thanks,
>>>> Vadym
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110925/abd299e1/attachment.html

More information about the selinux mailing list