On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote: > On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote: > > > On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote: > >> Hi, > >> > >> php module has a capability to write errors to a log file. > >> Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access: > >> > >> error_log = /var/log/php/php_error.log > >> > >> in RHEL6 I can find an existing context suitable for this though. > > > > I guess httpd_sys_content_rw_t > > which logrotate doesn't have access to. I guess i would temporarily use public_content_rw_t and allow httpd-t and logrotate the need acess to it, i would file a bugzilla, and when a fix is implemented remove the public_content_rw_t workaround > > > > >> I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log. > > > > It just should not open the file for write. We dont want webapps to be > > able to erase log trails. > > > >> Shall I open a bugzilla request or there is something I overlooked? > > > > No, use httpd_sys_content_rw_t or fix the web app to open the log file > > for append only (latter recommended) > > I agree, but this would require fix from php developers or Redhat > > Cheers, > Vadym > > > > > >> Thanks, > >> Vadym > >> > >> -- > >> selinux mailing list > >> selinux@xxxxxxxxxxxxxxxxxxxxxxx > >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux >
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
