Thanks Chris for the suggestions, here's a patch that I think is worthy of
inclusion.
Index: refpolicy-2.20160928/policy/modules/contrib/logrotate.te
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/contrib/logrotate.te
+++ refpolicy-2.20160928/policy/modules/contrib/logrotate.te
@@ -245,6 +245,11 @@ optional_policy(`
varnishd_manage_log(logrotate_t)
')
+optional_policy(`
+ manage_webalizer_var_lib(logrotate_t)
+ webalizer_run(logrotate_t, system_r)
+')
+
#######################################
#
# Mail local policy
Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.if
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.if
+++ refpolicy-2.20160928/policy/modules/contrib/webalizer.if
@@ -45,3 +45,23 @@ interface(`webalizer_run',`
webalizer_domtrans($1)
roleattribute $2 webalizer_roles;
')
+
+########################################
+## <summary>
+## Manage webalizer usage files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to manage webalizer usage files
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`manage_webalizer_var_lib',`
+ gen_require(`
+ type webalizer_var_lib_t;
+ ')
+
+ allow $1 webalizer_var_lib_t:dir manage_dir_perms;
+ allow $1 webalizer_var_lib_t:file manage_file_perms;
+')
Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.te
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.te
+++ refpolicy-2.20160928/policy/modules/contrib/webalizer.te
@@ -36,6 +36,7 @@ allow webalizer_t self:unix_stream_socke
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
+files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -50,6 +51,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
On 10/19/16 02:07, Russell Coker via refpolicy wrote:
> Thanks Chris for the suggestions, here's a patch that I think is worthy of
> inclusion.
>
Merged, though I moved a couple lines.
> Index: refpolicy-2.20160928/policy/modules/contrib/logrotate.te
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/contrib/logrotate.te
> +++ refpolicy-2.20160928/policy/modules/contrib/logrotate.te
> @@ -245,6 +245,11 @@ optional_policy(`
> varnishd_manage_log(logrotate_t)
> ')
>
> +optional_policy(`
> + manage_webalizer_var_lib(logrotate_t)
> + webalizer_run(logrotate_t, system_r)
> +')
> +
> #######################################
> #
> # Mail local policy
> Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.if
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.if
> +++ refpolicy-2.20160928/policy/modules/contrib/webalizer.if
> @@ -45,3 +45,23 @@ interface(`webalizer_run',`
> webalizer_domtrans($1)
> roleattribute $2 webalizer_roles;
> ')
> +
> +########################################
> +## <summary>
> +## Manage webalizer usage files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to manage webalizer usage files
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`manage_webalizer_var_lib',`
> + gen_require(`
> + type webalizer_var_lib_t;
> + ')
> +
> + allow $1 webalizer_var_lib_t:dir manage_dir_perms;
> + allow $1 webalizer_var_lib_t:file manage_file_perms;
> +')
> Index: refpolicy-2.20160928/policy/modules/contrib/webalizer.te
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/contrib/webalizer.te
> +++ refpolicy-2.20160928/policy/modules/contrib/webalizer.te
> @@ -36,6 +36,7 @@ allow webalizer_t self:unix_stream_socke
> allow webalizer_t self:tcp_socket { accept listen };
>
> allow webalizer_t webalizer_etc_t:file read_file_perms;
> +files_read_usr_files(webalizer_t)
>
> manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
> manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
> @@ -50,6 +51,7 @@ kernel_read_kernel_sysctls(webalizer_t)
> kernel_read_system_state(webalizer_t)
>
> files_read_etc_runtime_files(webalizer_t)
> +miscfiles_read_fonts(webalizer_t)
>
> fs_search_auto_mountpoints(webalizer_t)
> fs_getattr_xattr_fs(webalizer_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito