Re: apache and setroubleshot policy oddities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2013-03-14 at 10:50 -0400, m.roth@xxxxxxxxx wrote:

> allow httpd_t httpd_log_t:file write;
> 
> Why on earth can't something running as httpd_t write to a logfile of
> httpd_log_t in /var/log/httpd/?
> 

Because httpd, and any webapps running in the httpd_t domain should open
the log file for "append"  rather than "write"

By allowing httpd_t to "write" to the log file, one allows httpd and any
webapp running in the httpd_t domain to remove log entries. Thus
manipulating the audit trail. A compromized webapp could erase traces.

Auditing is generally important, for legal purposes and to figure out
where a breach originated. It helps if one can trust to some extent the
integrity of ones log files.

It's common practice for coders to open log files for append only.

So i consider this a bug in the webapp.

You can, if you want use audit2allow to allow this event but that is not
encouraged.

> And then there's this...
> 
> #============= setroubleshootd_t ==============
> allow setroubleshootd_t httpd_sys_script_t:dir read;
> allow setroubleshootd_t httpd_sys_script_t:file getattr;
> 
> Shouldn't setroubleshootd have rights?

I guess it wants to read a webapp process state files. Not sure if that
should be allowed.


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux