From: russell@coker.com.au (Russell Coker)
Date: Wed, 19 Oct 2016 17:07:20 +1100
Subject: [refpolicy]  webalizer patch for inclusion
Message-ID: <20161019060720.dzvlmq3hg4jynd6y@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Thanks Chris for the suggestions, here's a patch that I think is worthy of
inclusion.


Index: refpolicy-2.20160928/policy/modules/contrib/logrotate.te
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/contrib/logrotate.te
+++ refpolicy-2.20160928/policy/modules/contrib/logrotate.te
@@ -245,6 +245,11 @@ optional_policy(`
 	varnishd_manage_log(logrotate_t)
 ')
 
+optional_policy(`
+	manage_webalizer_var_lib(logrotate_t)
+	webalizer_run(logrotate_t, system_r)
+')
+
 #######################################
 #
 # Mail local policy
Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.if
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.if
+++ refpolicy-2.20160928/policy/modules/contrib/webalizer.if
@@ -45,3 +45,23 @@ interface(`webalizer_run',`
 	webalizer_domtrans($1)
 	roleattribute $2 webalizer_roles;
 ')
+
+########################################
+## <summary>
+##	Manage webalizer usage files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to manage webalizer usage files
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`manage_webalizer_var_lib',`
+	gen_require(`
+		type webalizer_var_lib_t;
+	')
+
+	allow $1 webalizer_var_lib_t:dir manage_dir_perms;
+	allow $1 webalizer_var_lib_t:file manage_file_perms;
+')
Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.te
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.te
+++ refpolicy-2.20160928/policy/modules/contrib/webalizer.te
@@ -36,6 +36,7 @@ allow webalizer_t self:unix_stream_socke
 allow webalizer_t self:tcp_socket { accept listen };
 
 allow webalizer_t webalizer_etc_t:file read_file_perms;
+files_read_usr_files(webalizer_t)
 
 manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
 manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -50,6 +51,7 @@ kernel_read_kernel_sysctls(webalizer_t)
 kernel_read_system_state(webalizer_t)
 
 files_read_etc_runtime_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
 
 fs_search_auto_mountpoints(webalizer_t)
 fs_getattr_xattr_fs(webalizer_t)