From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 13 Sep 2017 18:45:56 -0400 Subject: [refpolicy] [PATCH 2/2] apache: update In-Reply-To: References: <20170910151158.5859-1-cgzones@googlemail.com> <2276373.k7QpJJhrmk@xev> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/13/2017 04:09 AM, Christian G?ttsche wrote: > Or should I create a boolean for the log manage permissions? No. If we find that under certain situations the manage permissions are needed, we can reconsider then. > 2017-09-13 2:44 GMT+02:00 Russell Coker : >> On Tuesday, 12 September 2017 5:23:14 PM AEST Chris PeBenito wrote: >>> On 09/12/2017 05:56 AM, Christian G?ttsche wrote: >>>>> It's not as if this change really restricts things anyway, httpd_t can >>>>> still copy the log data to a new file and unless you are tracking Inode >>>>> numbers or creation time you won't notice. I don't think >>>>> create+read+append access is meaningfully more restricting than >>>>> manage_file_perms. >>>> >>>> My idea is, that the domain can not overwrite the existing logs or >>>> tamper with them in any way. >>> >>> I'm inclined to restore the previous permissions (this patch) unless >>> there is a solid case for keeping what we have. >> >> OK give that a go and we'll do more tests about how it works. -- Chris PeBenito