Below is the current Debian patch for Webalizer. I was prompted to submit
this for consideration now when I noticed that webalizer_usage_t had been
removed from the upstream repository.
Note that I'm not suggesting that we should necessarily include this policy
as-is. It could make sense to combine the functions of webalizer_usage_t
and webalizer_log_t because it's ALL log data really. I'd be happy to send
a replacement patch if merging those types is considered the correct thing
to do.
Index: refpolicy-2.20160928/policy/modules/contrib/logrotate.te
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/contrib/logrotate.te
+++ refpolicy-2.20160928/policy/modules/contrib/logrotate.te
@@ -245,6 +245,11 @@ optional_policy(`
varnishd_manage_log(logrotate_t)
')
+optional_policy(`
+ webalizer_usage_manage(logrotate_t)
+ webalizer_run(logrotate_t, system_r)
+')
+
#######################################
#
# Mail local policy
Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.if
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.if
+++ refpolicy-2.20160928/policy/modules/contrib/webalizer.if
@@ -45,3 +45,23 @@ interface(`webalizer_run',`
webalizer_domtrans($1)
roleattribute $2 webalizer_roles;
')
+
+########################################
+## <summary>
+## Manage webalizer usage files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to manage webalizer usage files
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`webalizer_usage_manage',`
+ gen_require(`
+ type webalizer_usage_t;
+ ')
+
+ allow $1 webalizer_usage_t:dir manage_dir_perms;
+ allow $1 webalizer_usage_t:file manage_file_perms;
+')
Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.te
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.te
+++ refpolicy-2.20160928/policy/modules/contrib/webalizer.te
@@ -16,12 +16,18 @@ role webalizer_roles types webalizer_t;
type webalizer_etc_t;
files_config_file(webalizer_etc_t)
+type webalizer_usage_t;
+files_type(webalizer_usage_t)
+
type webalizer_tmp_t;
files_tmp_file(webalizer_tmp_t)
type webalizer_var_lib_t;
files_type(webalizer_var_lib_t)
+type webalizer_log_t;
+logging_log_file(webalizer_log_t)
+
########################################
#
# Local policy
@@ -34,13 +40,19 @@ allow webalizer_t self:fifo_file rw_fifo
allow webalizer_t self:unix_dgram_socket sendto;
allow webalizer_t self:unix_stream_socket { accept connectto listen };
allow webalizer_t self:tcp_socket { accept listen };
+allow webalizer_t webalizer_usage_t:dir manage_dir_perms;
+allow webalizer_t webalizer_usage_t:file manage_file_perms;
allow webalizer_t webalizer_etc_t:file read_file_perms;
+files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
+manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+
manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t)
files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
@@ -50,6 +62,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
On 10/03/16 02:08, Russell Coker via refpolicy wrote:
> Below is the current Debian patch for Webalizer. I was prompted to submit
> this for consideration now when I noticed that webalizer_usage_t had been
> removed from the upstream repository.
>
> Note that I'm not suggesting that we should necessarily include this policy
> as-is. It could make sense to combine the functions of webalizer_usage_t
> and webalizer_log_t because it's ALL log data really. I'd be happy to send
> a replacement patch if merging those types is considered the correct thing
> to do.
I would think that the webalizer_usage_t would be the same as the
existing webalizer_var_lib_t; it's all the data that webalizer keeps for
history, right?
> Index: refpolicy-2.20160928/policy/modules/contrib/logrotate.te
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/contrib/logrotate.te
> +++ refpolicy-2.20160928/policy/modules/contrib/logrotate.te
> @@ -245,6 +245,11 @@ optional_policy(`
> varnishd_manage_log(logrotate_t)
> ')
>
> +optional_policy(`
> + webalizer_usage_manage(logrotate_t)
> + webalizer_run(logrotate_t, system_r)
> +')
> +
> #######################################
> #
> # Mail local policy
> Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.if
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.if
> +++ refpolicy-2.20160928/policy/modules/contrib/webalizer.if
> @@ -45,3 +45,23 @@ interface(`webalizer_run',`
> webalizer_domtrans($1)
> roleattribute $2 webalizer_roles;
> ')
> +
> +########################################
> +## <summary>
> +## Manage webalizer usage files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to manage webalizer usage files
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`webalizer_usage_manage',`
> + gen_require(`
> + type webalizer_usage_t;
> + ')
> +
> + allow $1 webalizer_usage_t:dir manage_dir_perms;
> + allow $1 webalizer_usage_t:file manage_file_perms;
> +')
> Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.te
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.te
> +++ refpolicy-2.20160928/policy/modules/contrib/webalizer.te
> @@ -16,12 +16,18 @@ role webalizer_roles types webalizer_t;
> type webalizer_etc_t;
> files_config_file(webalizer_etc_t)
>
> +type webalizer_usage_t;
> +files_type(webalizer_usage_t)
> +
> type webalizer_tmp_t;
> files_tmp_file(webalizer_tmp_t)
>
> type webalizer_var_lib_t;
> files_type(webalizer_var_lib_t)
>
> +type webalizer_log_t;
> +logging_log_file(webalizer_log_t)
> +
> ########################################
> #
> # Local policy
> @@ -34,13 +40,19 @@ allow webalizer_t self:fifo_file rw_fifo
> allow webalizer_t self:unix_dgram_socket sendto;
> allow webalizer_t self:unix_stream_socket { accept connectto listen };
> allow webalizer_t self:tcp_socket { accept listen };
> +allow webalizer_t webalizer_usage_t:dir manage_dir_perms;
> +allow webalizer_t webalizer_usage_t:file manage_file_perms;
>
> allow webalizer_t webalizer_etc_t:file read_file_perms;
> +files_read_usr_files(webalizer_t)
>
> manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
> manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
> files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
>
> +manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
> +manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
> +
> manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t)
> files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
>
> @@ -50,6 +62,7 @@ kernel_read_kernel_sysctls(webalizer_t)
> kernel_read_system_state(webalizer_t)
>
> files_read_etc_runtime_files(webalizer_t)
> +miscfiles_read_fonts(webalizer_t)
>
> fs_search_auto_mountpoints(webalizer_t)
> fs_getattr_xattr_fs(webalizer_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito