-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/03/2013 11:21 AM, Dominick Grift wrote:
On Tue, 2013-12-03 at 16:50 +0100, Vidalie Hervé wrote:
Encountered problems : Already discussed : httpd_log_t is not enough to httpd to create new log files -> to be replaced with httpd_sys_rw_content_t New files (for example logs) are not correctly labeled (they are labeled like the folder)
This:
[root@d30 rules.d]# sesearch -ASC -d -t httpd_sys_ra_content_t Found 7 semantic av rules: allow httpd_sys_ra_content_t httpd_sys_ra_content_t : filesystem associate ; allow httpd_sys_script_t httpd_sys_ra_content_t : file { ioctl read create getattr lock append open } ; allow httpd_sys_script_t httpd_sys_ra_content_t : dir { ioctl read write getattr lock add_name search open } ; allow httpd_sys_script_t httpd_sys_ra_content_t : lnk_file { read getattr } ; ET allow httpd_t httpd_sys_ra_content_t : file { ioctl read create getattr lock append open } ; [ httpd_builtin_scripting ] ET allow httpd_t httpd_sys_ra_content_t : dir { ioctl write getattr lock add_name search open } ; [ httpd_builtin_scripting ] ET allow httpd_t httpd_sys_ra_content_t : lnk_file { read getattr } ; [ httpd_builtin_scripting ]
..Tells me that , at least on my system, both httpd_t, as well as httpd_sys_script_t type processes are allowed to create new log files (files with type httpd_sys_ra_content_t) in directories with type httpd_sys_ra_content_t
So instead of using httpd_log_t (which i would not use for any logs other than /var/log/httpd in the first place) use httpd_sys_ra_content_t This is the type for readable/appendable (and creatable but not writable) files by httpd_t, and httpd_sys_script_t
This:
semanage fcontext -a -t httpd_log_t '/WEBS/[^/]+/[^/]+/logs'
.. Is wrong. Use this instead:
semanage fcontext -a -t httpd_sys_ra_content_t '/WEBS/[^/]+/[^/]+/logs(/.*)?'
Then restorecon -R -v -F /WEBS/*/logs
I am not sure I would label lost+found directory differently. Since this is still httpd_sys_content_t.
The only reason to label content httpd_log_t versus httpd_sys_ra_content_t is if the log files need to be used by log applications like logrotate.