On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote: > On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote: >> Hi, >> >> php module has a capability to write errors to a log file. >> Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access: >> >> error_log = /var/log/php/php_error.log >> >> in RHEL6 I can find an existing context suitable for this though. > > I guess httpd_sys_content_rw_t which logrotate doesn't have access to. > >> I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log. > > It just should not open the file for write. We dont want webapps to be > able to erase log trails. > >> Shall I open a bugzilla request or there is something I overlooked? > > No, use httpd_sys_content_rw_t or fix the web app to open the log file > for append only (latter recommended) I agree, but this would require fix from php developers or Redhat Cheers, Vadym > >> Thanks, >> Vadym >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
