From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 12 Sep 2017 17:23:14 -0400 Subject: [refpolicy] [PATCH 2/2] apache: update In-Reply-To: References: <20170910151158.5859-1-cgzones@googlemail.com> <20170910151158.5859-2-cgzones@googlemail.com> <7114d495-29dd-4f9d-7ecd-55788644b1fa@ieee.org> <18817434.Qai6GQvkHI@xev> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/12/2017 05:56 AM, Christian G?ttsche wrote: >> It's not as if this change really restricts things anyway, httpd_t can still >> copy the log data to a new file and unless you are tracking Inode numbers or >> creation time you won't notice. I don't think create+read+append access is >> meaningfully more restricting than manage_file_perms. > > My idea is, that the domain can not overwrite the existing logs or > tamper with them in any way. I'm inclined to restore the previous permissions (this patch) unless there is a solid case for keeping what we have. -- Chris PeBenito