From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 19 Oct 2016 19:03:15 -0400
Subject: [refpolicy] webalizer patch for inclusion
In-Reply-To: <20161019060720.dzvlmq3hg4jynd6y@athena.coker.com.au>
References: <20161019060720.dzvlmq3hg4jynd6y@athena.coker.com.au>
Message-ID: <23af08c0-b3e0-6600-18d6-f0b7b971a7d5@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/19/16 02:07, Russell Coker via refpolicy wrote:
> Thanks Chris for the suggestions, here's a patch that I think is worthy of
> inclusion.
>

Merged, though I moved a couple lines.


> Index: refpolicy-2.20160928/policy/modules/contrib/logrotate.te
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/contrib/logrotate.te
> +++ refpolicy-2.20160928/policy/modules/contrib/logrotate.te
> @@ -245,6 +245,11 @@ optional_policy(`
>  	varnishd_manage_log(logrotate_t)
>  ')
>
> +optional_policy(`
> +	manage_webalizer_var_lib(logrotate_t)
> +	webalizer_run(logrotate_t, system_r)
> +')
> +
>  #######################################
>  #
>  # Mail local policy
> Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.if
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.if
> +++ refpolicy-2.20160928/policy/modules/contrib/webalizer.if
> @@ -45,3 +45,23 @@ interface(`webalizer_run',`
>  	webalizer_domtrans($1)
>  	roleattribute $2 webalizer_roles;
>  ')
> +
> +########################################
> +## <summary>
> +##	Manage webalizer usage files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to manage webalizer usage files
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`manage_webalizer_var_lib',`
> +	gen_require(`
> +		type webalizer_var_lib_t;
> +	')
> +
> +	allow $1 webalizer_var_lib_t:dir manage_dir_perms;
> +	allow $1 webalizer_var_lib_t:file manage_file_perms;
> +')
> Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.te
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.te
> +++ refpolicy-2.20160928/policy/modules/contrib/webalizer.te
> @@ -36,6 +36,7 @@ allow webalizer_t self:unix_stream_socke
>  allow webalizer_t self:tcp_socket { accept listen };
>
>  allow webalizer_t webalizer_etc_t:file read_file_perms;
> +files_read_usr_files(webalizer_t)
>
>  manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
>  manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
> @@ -50,6 +51,7 @@ kernel_read_kernel_sysctls(webalizer_t)
>  kernel_read_system_state(webalizer_t)
>
>  files_read_etc_runtime_files(webalizer_t)
> +miscfiles_read_fonts(webalizer_t)
>
>  fs_search_auto_mountpoints(webalizer_t)
>  fs_getattr_xattr_fs(webalizer_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito