From: russell@coker.com.au (Russell Coker) Date: Wed, 13 Sep 2017 10:44:36 +1000 Subject: [refpolicy] [PATCH 2/2] apache: update In-Reply-To: References: <20170910151158.5859-1-cgzones@googlemail.com> Message-ID: <2276373.k7QpJJhrmk@xev> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tuesday, 12 September 2017 5:23:14 PM AEST Chris PeBenito wrote: > On 09/12/2017 05:56 AM, Christian G?ttsche wrote: > >> It's not as if this change really restricts things anyway, httpd_t can > >> still copy the log data to a new file and unless you are tracking Inode > >> numbers or creation time you won't notice. I don't think > >> create+read+append access is meaningfully more restricting than > >> manage_file_perms. > > > > My idea is, that the domain can not overwrite the existing logs or > > tamper with them in any way. > > I'm inclined to restore the previous permissions (this patch) unless > there is a solid case for keeping what we have. OK give that a go and we'll do more tests about how it works. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/