From: cgzones@googlemail.com (=?UTF-8?Q?Christian_G=C3=B6ttsche?=) Date: Wed, 13 Sep 2017 10:09:49 +0200 Subject: [refpolicy] [PATCH 2/2] apache: update In-Reply-To: <2276373.k7QpJJhrmk@xev> References: <20170910151158.5859-1-cgzones@googlemail.com> <2276373.k7QpJJhrmk@xev> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Or should I create a boolean for the log manage permissions? 2017-09-13 2:44 GMT+02:00 Russell Coker : > On Tuesday, 12 September 2017 5:23:14 PM AEST Chris PeBenito wrote: >> On 09/12/2017 05:56 AM, Christian G?ttsche wrote: >> >> It's not as if this change really restricts things anyway, httpd_t can >> >> still copy the log data to a new file and unless you are tracking Inode >> >> numbers or creation time you won't notice. I don't think >> >> create+read+append access is meaningfully more restricting than >> >> manage_file_perms. >> > >> > My idea is, that the domain can not overwrite the existing logs or >> > tamper with them in any way. >> >> I'm inclined to restore the previous permissions (this patch) unless >> there is a solid case for keeping what we have. > > OK give that a go and we'll do more tests about how it works. > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ >