On 09/24/2011 09:47 AM, Dominick Grift wrote:
Vadym,On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote:On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:Hi, php module has a capability to write errors to a log file. Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access: error_log = /var/log/php/php_error.log in RHEL6 I can find an existing context suitable for this though.I guess httpd_sys_content_rw_twhich logrotate doesn't have access to. please open a new bug with AVC, which you see, on selinux-policy component on RHEL6 and I will move it further. Thank you. Regards, Miroslav I guess i would temporarily use public_content_rw_t and allow httpd-t and logrotate the need acess to it, i would file a bugzilla, and when a fix is implemented remove the public_content_rw_t workaroundI can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.It just should not open the file for write. We dont want webapps to be able to erase log trails.Shall I open a bugzilla request or there is something I overlooked?No, use httpd_sys_content_rw_t or fix the web app to open the log file for append only (latter recommended)I agree, but this would require fix from php developers or Redhat Cheers, VadymThanks, Vadym -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
