From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 12 Sep 2017 17:23:14 -0400
Subject: [refpolicy] [PATCH 2/2] apache: update
In-Reply-To: <CAJ2a_Df198qx_W=FP00O3G45pyJ3YvwAzzwabiQmmwDgc0nwVw@mail.gmail.com>
References: <20170910151158.5859-1-cgzones@googlemail.com>
	<20170910151158.5859-2-cgzones@googlemail.com>
	<7114d495-29dd-4f9d-7ecd-55788644b1fa@ieee.org>
	<18817434.Qai6GQvkHI@xev>
	<CAJ2a_Df198qx_W=FP00O3G45pyJ3YvwAzzwabiQmmwDgc0nwVw@mail.gmail.com>
Message-ID: <ba9dcae2-d303-99ed-63dc-97b004ffb884@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/12/2017 05:56 AM, Christian G?ttsche wrote:
>> It's not as if this change really restricts things anyway, httpd_t can still
>> copy the log data to a new file and unless you are tracking Inode numbers or
>> creation time you won't notice.  I don't think create+read+append access is
>> meaningfully more restricting than manage_file_perms.
> 
> My idea is, that the domain can not overwrite the existing logs or
> tamper with them in any way.

I'm inclined to restore the previous permissions (this patch) unless 
there is a solid case for keeping what we have.

-- 
Chris PeBenito