From 404c8d08e3b4ec9970baa6af55359902d43c3ded Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 20 Oct 2022 19:20:14 +0200 Subject: [PATCH] Allow rotatelogs read httpd_log_t symlinks This permission is required when rotatelogs is used in apache httpd configuration for handling logs and the /etc/httpd/logs path is used where the last directory is a symlink to ../../var/log/httpd: CustomLog "|/usr/sbin/rotatelogs /etc/httpd/logs/www.example.com 3600" combined It is executed with /etc/httpd as CWD, so it needs the search permission for httpd_config_t, too. Resolves: rhbz#2030633 --- policy/modules/contrib/apache.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te index 73957e4459..9101494b7e 100644 --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te @@ -1668,6 +1668,8 @@ optional_policy(` allow httpd_rotatelogs_t self:capability { dac_read_search }; manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) +read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) +allow httpd_rotatelogs_t httpd_config_t:dir search_dir_perms; kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t)