From: russell@coker.com.au (Russell Coker) Date: Tue, 12 Sep 2017 14:17:01 +1000 Subject: [refpolicy] [PATCH 2/2] apache: update In-Reply-To: <7114d495-29dd-4f9d-7ecd-55788644b1fa@ieee.org> References: <20170910151158.5859-1-cgzones@googlemail.com> <20170910151158.5859-2-cgzones@googlemail.com> <7114d495-29dd-4f9d-7ecd-55788644b1fa@ieee.org> Message-ID: <18817434.Qai6GQvkHI@xev> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Monday, 11 September 2017 7:13:22 PM AEST Chris PeBenito wrote: > > @@ -407,7 +393,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms; > > files_lock_filetrans(httpd_t, httpd_lock_t, { file dir }) > > > > manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) > > -manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t) > > +append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) > > +create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) > > +read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) > > +setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t) > > read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) > > logging_log_filetrans(httpd_t, httpd_log_t, file) > > This reverses a recent change, but I can't remember why we changed it. > Russell? I can't remember either. But usually the case is that the application needs some write access in some situation and therefore we have required every access that matters. It's not as if this change really restricts things anyway, httpd_t can still copy the log data to a new file and unless you are tracking Inode numbers or creation time you won't notice. I don't think create+read+append access is meaningfully more restricting than manage_file_perms. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/