From: russell@coker.com.au (Russell Coker) Date: Thu, 14 Sep 2017 13:07:11 +1000 Subject: [refpolicy] [PATCH 2/2] apache: update In-Reply-To: References: <20170910151158.5859-1-cgzones@googlemail.com> Message-ID: <2826874.zb9Cjn7mqj@xev> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wednesday, 13 September 2017 6:45:56 PM AEST Chris PeBenito wrote: > On 09/13/2017 04:09 AM, Christian G?ttsche wrote: > > Or should I create a boolean for the log manage permissions? > > No. If we find that under certain situations the manage permissions are > needed, we can reconsider then. I agree. Having lots of booleans is annoying, confusing, and not good for security in practice. When something like this is up for debate I think it's best to have a default policy of removing the access in question and waiting for more evidence of why it's needed. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/