On Thu, 2013-03-14 at 10:50 -0400, m.roth@xxxxxxxxx wrote: > allow httpd_t httpd_log_t:file write; > > Why on earth can't something running as httpd_t write to a logfile of > httpd_log_t in /var/log/httpd/? > Because httpd, and any webapps running in the httpd_t domain should open the log file for "append" rather than "write" By allowing httpd_t to "write" to the log file, one allows httpd and any webapp running in the httpd_t domain to remove log entries. Thus manipulating the audit trail. A compromized webapp could erase traces. Auditing is generally important, for legal purposes and to figure out where a breach originated. It helps if one can trust to some extent the integrity of ones log files. It's common practice for coders to open log files for append only. So i consider this a bug in the webapp. You can, if you want use audit2allow to allow this event but that is not encouraged. > And then there's this... > > #============= setroubleshootd_t ============== > allow setroubleshootd_t httpd_sys_script_t:dir read; > allow setroubleshootd_t httpd_sys_script_t:file getattr; > > Shouldn't setroubleshootd have rights? I guess it wants to read a webapp process state files. Not sure if that should be allowed. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
