From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 4 Oct 2016 19:20:28 -0400 Subject: [refpolicy] webalizer patch In-Reply-To: <20161003060840.kybi6bnlfibob4ly@athena.coker.com.au> References: <20161003060840.kybi6bnlfibob4ly@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/03/16 02:08, Russell Coker via refpolicy wrote: > Below is the current Debian patch for Webalizer. I was prompted to submit > this for consideration now when I noticed that webalizer_usage_t had been > removed from the upstream repository. > > Note that I'm not suggesting that we should necessarily include this policy > as-is. It could make sense to combine the functions of webalizer_usage_t > and webalizer_log_t because it's ALL log data really. I'd be happy to send > a replacement patch if merging those types is considered the correct thing > to do. I would think that the webalizer_usage_t would be the same as the existing webalizer_var_lib_t; it's all the data that webalizer keeps for history, right? > Index: refpolicy-2.20160928/policy/modules/contrib/logrotate.te > =================================================================== > --- refpolicy-2.20160928.orig/policy/modules/contrib/logrotate.te > +++ refpolicy-2.20160928/policy/modules/contrib/logrotate.te > @@ -245,6 +245,11 @@ optional_policy(` > varnishd_manage_log(logrotate_t) > ') > > +optional_policy(` > + webalizer_usage_manage(logrotate_t) > + webalizer_run(logrotate_t, system_r) > +') > + > ####################################### > # > # Mail local policy > Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.if > =================================================================== > --- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.if > +++ refpolicy-2.20160928/policy/modules/contrib/webalizer.if > @@ -45,3 +45,23 @@ interface(`webalizer_run',` > webalizer_domtrans($1) > roleattribute $2 webalizer_roles; > ') > + > +######################################## > +## > +## Manage webalizer usage files > +## > +## > +## > +## Domain allowed to manage webalizer usage files > +## > +## > +## > +# > +interface(`webalizer_usage_manage',` > + gen_require(` > + type webalizer_usage_t; > + ') > + > + allow $1 webalizer_usage_t:dir manage_dir_perms; > + allow $1 webalizer_usage_t:file manage_file_perms; > +') > Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.te > =================================================================== > --- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.te > +++ refpolicy-2.20160928/policy/modules/contrib/webalizer.te > @@ -16,12 +16,18 @@ role webalizer_roles types webalizer_t; > type webalizer_etc_t; > files_config_file(webalizer_etc_t) > > +type webalizer_usage_t; > +files_type(webalizer_usage_t) > + > type webalizer_tmp_t; > files_tmp_file(webalizer_tmp_t) > > type webalizer_var_lib_t; > files_type(webalizer_var_lib_t) > > +type webalizer_log_t; > +logging_log_file(webalizer_log_t) > + > ######################################## > # > # Local policy > @@ -34,13 +40,19 @@ allow webalizer_t self:fifo_file rw_fifo > allow webalizer_t self:unix_dgram_socket sendto; > allow webalizer_t self:unix_stream_socket { accept connectto listen }; > allow webalizer_t self:tcp_socket { accept listen }; > +allow webalizer_t webalizer_usage_t:dir manage_dir_perms; > +allow webalizer_t webalizer_usage_t:file manage_file_perms; > > allow webalizer_t webalizer_etc_t:file read_file_perms; > +files_read_usr_files(webalizer_t) > > manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) > manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) > files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir }) > > +manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t) > +manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t) > + > manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t) > files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file) > > @@ -50,6 +62,7 @@ kernel_read_kernel_sysctls(webalizer_t) > kernel_read_system_state(webalizer_t) > > files_read_etc_runtime_files(webalizer_t) > +miscfiles_read_fonts(webalizer_t) > > fs_search_auto_mountpoints(webalizer_t) > fs_getattr_xattr_fs(webalizer_t) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito