php error log policy

Vadym Chepkov vchepkov at gmail.com
Tue Sep 27 11:26:58 UTC 2011 

On Sep 25, 2011, at 2:28 PM, Miroslav Grepl wrote:

> On 09/24/2011 09:47 AM, Dominick Grift wrote:
>> 
>> On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote:
>>> On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:
>>> 
>>>> On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
>>>>> Hi,
>>>>> 
>>>>> php module has a capability to write errors to a log file.
>>>>> Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
>>>>> 
>>>>> error_log = /var/log/php/php_error.log
>>>>> 
>>>>> in RHEL6 I can find an existing context suitable for this though. 
>>>> I guess httpd_sys_content_rw_t
>>> which logrotate doesn't have access to.
> Vadym, 
> please open a new bug with AVC, which you see, on selinux-policy component on RHEL6 and I will move it further. 


Miroslav,

I would be happy to, but what context to you want me to apply to /var/log/php before collecting AVCs ?

Thank you,
Vadym



> 
> Thank you.
> 
> Regards,
> Miroslav
>> I guess i would temporarily use public_content_rw_t and allow httpd-t
>> and logrotate the need acess to it, i would file a bugzilla, and when a
>> fix is implemented remove the public_content_rw_t workaround
>> 
>>>>> I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
>>>> It just should not open the file for write. We dont want webapps to be
>>>> able to erase log trails.
>>>> 
>>>>> Shall I open a bugzilla request or there is something I overlooked?
>>>> No, use httpd_sys_content_rw_t or fix the web app to open the log file
>>>> for append only (latter recommended)
>>> I agree, but this would require fix from php developers or Redhat
>>> 
>>> Cheers,
>>> Vadym
>>> 
>>> 
>>>>> Thanks,
>>>>> Vadym
>>>>> 
>>>>> --
>>>>> selinux mailing list
>>>>> selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> 
>> 
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110927/59c4d05f/attachment-0001.html

More information about the selinux mailing list