From: russell@coker.com.au (Russell Coker)
Date: Mon, 3 Oct 2016 17:08:40 +1100
Subject: [refpolicy] webalizer patch
Message-ID: <20161003060840.kybi6bnlfibob4ly@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Below is the current Debian patch for Webalizer. I was prompted to submit
this for consideration now when I noticed that webalizer_usage_t had been
removed from the upstream repository.
Note that I'm not suggesting that we should necessarily include this policy
as-is. It could make sense to combine the functions of webalizer_usage_t
and webalizer_log_t because it's ALL log data really. I'd be happy to send
a replacement patch if merging those types is considered the correct thing
to do.
Index: refpolicy-2.20160928/policy/modules/contrib/logrotate.te
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/contrib/logrotate.te
+++ refpolicy-2.20160928/policy/modules/contrib/logrotate.te
@@ -245,6 +245,11 @@ optional_policy(`
varnishd_manage_log(logrotate_t)
')
+optional_policy(`
+ webalizer_usage_manage(logrotate_t)
+ webalizer_run(logrotate_t, system_r)
+')
+
#######################################
#
# Mail local policy
Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.if
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.if
+++ refpolicy-2.20160928/policy/modules/contrib/webalizer.if
@@ -45,3 +45,23 @@ interface(`webalizer_run',`
webalizer_domtrans($1)
roleattribute $2 webalizer_roles;
')
+
+########################################
+##
+## Manage webalizer usage files
+##
+##
+##
+## Domain allowed to manage webalizer usage files
+##
+##
+##
+#
+interface(`webalizer_usage_manage',`
+ gen_require(`
+ type webalizer_usage_t;
+ ')
+
+ allow $1 webalizer_usage_t:dir manage_dir_perms;
+ allow $1 webalizer_usage_t:file manage_file_perms;
+')
Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.te
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.te
+++ refpolicy-2.20160928/policy/modules/contrib/webalizer.te
@@ -16,12 +16,18 @@ role webalizer_roles types webalizer_t;
type webalizer_etc_t;
files_config_file(webalizer_etc_t)
+type webalizer_usage_t;
+files_type(webalizer_usage_t)
+
type webalizer_tmp_t;
files_tmp_file(webalizer_tmp_t)
type webalizer_var_lib_t;
files_type(webalizer_var_lib_t)
+type webalizer_log_t;
+logging_log_file(webalizer_log_t)
+
########################################
#
# Local policy
@@ -34,13 +40,19 @@ allow webalizer_t self:fifo_file rw_fifo
allow webalizer_t self:unix_dgram_socket sendto;
allow webalizer_t self:unix_stream_socket { accept connectto listen };
allow webalizer_t self:tcp_socket { accept listen };
+allow webalizer_t webalizer_usage_t:dir manage_dir_perms;
+allow webalizer_t webalizer_usage_t:file manage_file_perms;
allow webalizer_t webalizer_etc_t:file read_file_perms;
+files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
+manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+
manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t)
files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
@@ -50,6 +62,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)