33 lines
1.3 KiB
Diff
33 lines
1.3 KiB
Diff
From 404c8d08e3b4ec9970baa6af55359902d43c3ded Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Thu, 20 Oct 2022 19:20:14 +0200
|
|
Subject: [PATCH] Allow rotatelogs read httpd_log_t symlinks
|
|
|
|
This permission is required when rotatelogs is used in apache httpd
|
|
configuration for handling logs and the /etc/httpd/logs path is used
|
|
where the last directory is a symlink to ../../var/log/httpd:
|
|
|
|
CustomLog "|/usr/sbin/rotatelogs /etc/httpd/logs/www.example.com 3600" combined
|
|
|
|
It is executed with /etc/httpd as CWD, so it needs the search permission
|
|
for httpd_config_t, too.
|
|
|
|
Resolves: rhbz#2030633
|
|
---
|
|
policy/modules/contrib/apache.te | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
|
|
index 73957e4459..9101494b7e 100644
|
|
--- a/policy/modules/contrib/apache.te
|
|
+++ b/policy/modules/contrib/apache.te
|
|
@@ -1668,6 +1668,8 @@ optional_policy(`
|
|
allow httpd_rotatelogs_t self:capability { dac_read_search };
|
|
|
|
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
|
+read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
|
+allow httpd_rotatelogs_t httpd_config_t:dir search_dir_perms;
|
|
|
|
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
|
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
|