commit: 7ba6a2c036470cfa2cf1cac7665275ba48f45627
Author: Russell Coker via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT>
com>
AuthorDate: Wed Oct 19 06:07:20 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:35 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ba6a2c0
webalizer patch for inclusion
Thanks Chris for the suggestions, here's a patch that I think is worthy of
inclusion.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/logrotate.te | 5 +++++
policy/modules/contrib/webalizer.if | 20 ++++++++++++++++++++
policy/modules/contrib/webalizer.te | 2 ++
3 files changed, 27 insertions(+)
diff --git a/policy/modules/contrib/logrotate.te
b/policy/modules/contrib/logrotate.te
index a1670d0..f7a70da 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -242,6 +242,11 @@ optional_policy(`
varnishd_manage_log(logrotate_t)
')
+optional_policy(`
+ manage_webalizer_var_lib(logrotate_t)
+ webalizer_run(logrotate_t, system_r)
+')
+
#######################################
#
# Mail local policy
diff --git a/policy/modules/contrib/webalizer.if
b/policy/modules/contrib/webalizer.if
index fa28353..cc831b6 100644
--- a/policy/modules/contrib/webalizer.if
+++ b/policy/modules/contrib/webalizer.if
@@ -45,3 +45,23 @@ interface(`webalizer_run',`
webalizer_domtrans($1)
roleattribute $2 webalizer_roles;
')
+
+########################################
+## <summary>
+## Manage webalizer usage files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to manage webalizer usage files
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`manage_webalizer_var_lib',`
+ gen_require(`
+ type webalizer_var_lib_t;
+ ')
+
+ allow $1 webalizer_var_lib_t:dir manage_dir_perms;
+ allow $1 webalizer_var_lib_t:file manage_file_perms;
+')
diff --git a/policy/modules/contrib/webalizer.te
b/policy/modules/contrib/webalizer.te
index 99bef4a..ff69b41 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -36,6 +36,7 @@ allow webalizer_t self:unix_stream_socket { accept connectto
listen };
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
+files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -50,6 +51,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
