From: russell@coker.com.au (Russell Coker)
Date: Tue, 12 Sep 2017 14:17:01 +1000
Subject: [refpolicy] [PATCH 2/2] apache: update
In-Reply-To: <7114d495-29dd-4f9d-7ecd-55788644b1fa@ieee.org>
References: <20170910151158.5859-1-cgzones@googlemail.com>
	<20170910151158.5859-2-cgzones@googlemail.com>
	<7114d495-29dd-4f9d-7ecd-55788644b1fa@ieee.org>
Message-ID: <18817434.Qai6GQvkHI@xev>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Monday, 11 September 2017 7:13:22 PM AEST Chris PeBenito wrote:
> > @@ -407,7 +393,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
> > files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
> > 
> > manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > -manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > +append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > +create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > +read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > +setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > logging_log_filetrans(httpd_t, httpd_log_t, file)
> 
> This reverses a recent change, but I can't remember why we changed it. 
> Russell?

I can't remember either.  But usually the case is that the application needs 
some write access in some situation and therefore we have required every 
access that matters.

It's not as if this change really restricts things anyway, httpd_t can still 
copy the log data to a new file and unless you are tracking Inode numbers or 
creation time you won't notice.  I don't think create+read+append access is 
meaningfully more restricting than manage_file_perms.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/