From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 13 Sep 2017 18:45:56 -0400
Subject: [refpolicy] [PATCH 2/2] apache: update
In-Reply-To: <CAJ2a_DcqZ6zUF8BnA+Zfeuf1uWuUQB8zJzn74-9_WD3PSAm1YA@mail.gmail.com>
References: <20170910151158.5859-1-cgzones@googlemail.com>
	<CAJ2a_Df198qx_W=FP00O3G45pyJ3YvwAzzwabiQmmwDgc0nwVw@mail.gmail.com>
	<ba9dcae2-d303-99ed-63dc-97b004ffb884@ieee.org>
	<2276373.k7QpJJhrmk@xev>
	<CAJ2a_DcqZ6zUF8BnA+Zfeuf1uWuUQB8zJzn74-9_WD3PSAm1YA@mail.gmail.com>
Message-ID: <d18c80d0-d288-fc5f-d45b-2925b0849636@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/13/2017 04:09 AM, Christian G?ttsche wrote:
> Or should I create a boolean for the log manage permissions?

No.  If we find that under certain situations the manage permissions are 
needed, we can reconsider then.


> 2017-09-13 2:44 GMT+02:00 Russell Coker <russell@coker.com.au>:
>> On Tuesday, 12 September 2017 5:23:14 PM AEST Chris PeBenito wrote:
>>> On 09/12/2017 05:56 AM, Christian G?ttsche wrote:
>>>>> It's not as if this change really restricts things anyway, httpd_t can
>>>>> still copy the log data to a new file and unless you are tracking Inode
>>>>> numbers or creation time you won't notice.  I don't think
>>>>> create+read+append access is meaningfully more restricting than
>>>>> manage_file_perms.
>>>>
>>>> My idea is, that the domain can not overwrite the existing logs or
>>>> tamper with them in any way.
>>>
>>> I'm inclined to restore the previous permissions (this patch) unless
>>> there is a solid case for keeping what we have.
>>
>> OK give that a go and we'll do more tests about how it works.


-- 
Chris PeBenito