FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-23-2011, 11:52 AM
Vadym Chepkov
 
Default php error log policy

Hi,

php module has a capability to write errors to a log file.
Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:

error_log = /var/log/php/php_error.log

in RHEL6 I can find an existing context suitable for this though.
I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.

Shall I open a bugzilla request or there is something I overlooked?

Thanks,
Vadym

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-23-2011, 12:03 PM
Dominick Grift
 
Default php error log policy

On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
> Hi,
>
> php module has a capability to write errors to a log file.
> Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
>
> error_log = /var/log/php/php_error.log
>
> in RHEL6 I can find an existing context suitable for this though.

I guess httpd_sys_content_rw_t

> I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.

It just should not open the file for write. We dont want webapps to be
able to erase log trails.

> Shall I open a bugzilla request or there is something I overlooked?

No, use httpd_sys_content_rw_t or fix the web app to open the log file
for append only (latter recommended)

> Thanks,
> Vadym
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-24-2011, 01:03 AM
Vadym Chepkov
 
Default php error log policy

On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:

> On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
>> Hi,
>>
>> php module has a capability to write errors to a log file.
>> Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
>>
>> error_log = /var/log/php/php_error.log
>>
>> in RHEL6 I can find an existing context suitable for this though.
>
> I guess httpd_sys_content_rw_t

which logrotate doesn't have access to.


>
>> I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
>
> It just should not open the file for write. We dont want webapps to be
> able to erase log trails.
>
>> Shall I open a bugzilla request or there is something I overlooked?
>
> No, use httpd_sys_content_rw_t or fix the web app to open the log file
> for append only (latter recommended)

I agree, but this would require fix from php developers or Redhat

Cheers,
Vadym


>
>> Thanks,
>> Vadym
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-24-2011, 07:47 AM
Dominick Grift
 
Default php error log policy

On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote:
> On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:
>
> > On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:
> >> Hi,
> >>
> >> php module has a capability to write errors to a log file.
> >> Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:
> >>
> >> error_log = /var/log/php/php_error.log
> >>
> >> in RHEL6 I can find an existing context suitable for this though.
> >
> > I guess httpd_sys_content_rw_t
>
> which logrotate doesn't have access to.

I guess i would temporarily use public_content_rw_t and allow httpd-t
and logrotate the need acess to it, i would file a bugzilla, and when a
fix is implemented remove the public_content_rw_t workaround

>
> >
> >> I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.
> >
> > It just should not open the file for write. We dont want webapps to be
> > able to erase log trails.
> >
> >> Shall I open a bugzilla request or there is something I overlooked?
> >
> > No, use httpd_sys_content_rw_t or fix the web app to open the log file
> > for append only (latter recommended)
>
> I agree, but this would require fix from php developers or Redhat
>
> Cheers,
> Vadym
>
>
> >
> >> Thanks,
> >> Vadym
> >>
> >> --
> >> selinux mailing list
> >> selinux@lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-25-2011, 06:28 PM
Miroslav Grepl
 
Default php error log policy

On 09/24/2011 09:47 AM, Dominick Grift wrote:

On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote:


On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:



On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:


Hi,

php module has a capability to write errors to a log file.
Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:

error_log = /var/log/php/php_error.log

in RHEL6 I can find an existing context suitable for this though.



I guess httpd_sys_content_rw_t



which logrotate doesn't have access to.



Vadym,

please open a new bug with AVC, which you see, on selinux-policy
component on RHEL6 and I will move it further.



Thank you.



Regards,

Miroslav




I guess i would temporarily use public_content_rw_t and allow httpd-t
and logrotate the need acess to it, i would file a bugzilla, and when a
fix is implemented remove the public_content_rw_t workaround









I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.



It just should not open the file for write. We dont want webapps to be
able to erase log trails.



Shall I open a bugzilla request or there is something I overlooked?



No, use httpd_sys_content_rw_t or fix the web app to open the log file
for append only (latter recommended)



I agree, but this would require fix from php developers or Redhat

Cheers,
Vadym







Thanks,
Vadym

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux












--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-27-2011, 11:26 AM
Vadym Chepkov
 
Default php error log policy

On Sep 25, 2011, at 2:28 PM, Miroslav Grepl wrote:




On 09/24/2011 09:47 AM, Dominick Grift wrote:

On Fri, 2011-09-23 at 21:03 -0400, Vadym Chepkov wrote:


On Sep 23, 2011, at 8:03 AM, Dominick Grift wrote:



On Fri, 2011-09-23 at 07:52 -0400, Vadym Chepkov wrote:


Hi,

php module has a capability to write errors to a log file.
Since unlike other apache logs this one is updated by a child I had to create a separate directory where apache user would have write access:

error_log = /var/log/php/php_error.log

in RHEL6 I can find an existing context suitable for this though.


I guess httpd_sys_content_rw_t


which logrotate doesn't have access to.



Vadym,

please open a new bug with AVC, which you see, on selinux-policy
component on RHEL6 and I will move it further.


Miroslav,
I would be happy to, but what context to you want me to apply to /var/log/php before collecting AVCs ?
Thank you,Vadym





Thank you.



Regards,

Miroslav



I guess i would temporarily use public_content_rw_t and allow httpd-t
and logrotate the need acess to it, i would file a bugzilla, and when a
fix is implemented remove the public_content_rw_t workaround







I can't use httpd_log_t, because php log is opened for "writing", not "appending" and if I use any other httpd "working" contexts, logrotate is not allowed to rotate this log.


It just should not open the file for write. We dont want webapps to be
able to erase log trails.



Shall I open a bugzilla request or there is something I overlooked?


No, use httpd_sys_content_rw_t or fix the web app to open the log file
for append only (latter recommended)


I agree, but this would require fix from php developers or Redhat

Cheers,
Vadym






Thanks,
Vadym

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux










--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux






--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:31 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org