[selinux-policy: 736/3172] add in last bits of webalizer

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:08:27 UTC 2010 

commit be4690a5ae985131883611b3420d418790a2d114
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Oct 12 17:22:25 2005 +0000

    add in last bits of webalizer

 refpolicy/policy/modules/apps/webalizer.if    |   46 +++++++++++++++++++++++++
 refpolicy/policy/modules/apps/webalizer.te    |   17 ++-------
 refpolicy/policy/modules/services/apache.if   |   41 ++++++++++++++++++++++
 refpolicy/policy/modules/system/userdomain.te |    4 ++
 4 files changed, 94 insertions(+), 14 deletions(-)
---
diff --git a/refpolicy/policy/modules/apps/webalizer.if b/refpolicy/policy/modules/apps/webalizer.if
index 4c7a274..8d56589 100644
--- a/refpolicy/policy/modules/apps/webalizer.if
+++ b/refpolicy/policy/modules/apps/webalizer.if
@@ -1 +1,47 @@
 ## <summary>Web server log analysis</summary>
+
+########################################
+## <summary>
+##	Execute webalizer in the webalizer domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`webalizer_domtrans',`
+	gen_require(`
+		type webalizer_t, webalizer_exec_t;
+	')
+
+	domain_auto_trans($1,webalizer_exec_t,webalizer_t)
+
+	allow $1 webalizer_t:fd use;
+	allow webalizer_t $1:fd use;
+	allow webalizer_t $1:fifo_file rw_file_perms;
+	allow webalizer_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute webalizer in the webalizer domain, and
+##	allow the specified role the webalizer domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the webalizer domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the webalizer domain to use.
+## </param>
+#
+interface(`webalizer_run',`
+	gen_require(`
+		type webalizer_t;
+	')
+
+	webalizer_domtrans($1)
+	role $2 types webalizer_t;
+	allow webalizer_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te
index 8602aba..2d58940 100644
--- a/refpolicy/policy/modules/apps/webalizer.te
+++ b/refpolicy/policy/modules/apps/webalizer.te
@@ -86,6 +86,9 @@ sysnet_read_config(webalizer_t)
 
 userdom_use_unpriv_users_fd(webalizer_t)
 
+apache_read_log(webalizer_t)
+apache_manage_sys_content(webalizer_t)
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(webalizer_t)
 ')
@@ -97,17 +100,3 @@ optional_policy(`nscd.te',`
 optional_policy(`cron.te',`
 	cron_system_entry(webalizer_t,webalizer_exec_t)
 ')
-
-ifdef(`TODO',`
-# a "run" interface needs to be
-# added, and have sysadm_t use it
-# in a optional_policy block.
-
-allow webalizer_t httpd_log_t:dir { getattr read search };
-allow webalizer_t httpd_log_t:file { read getattr };
-allow webalizer_t httpd_log_t:lnk_file { getattr read };
-
-allow webalizer_t httpd_sys_content_t:dir create_dir_perms;
-allow webalizer_t httpd_sys_content_t:file create_file_perms;
-allow webalizer_t httpd_sys_content_t:lnk_file create_lnk_perms;
-')
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 155c9a3..3966860 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -432,6 +432,26 @@ interface(`apache_run_helper',`
 
 ########################################
 ## <summary>
+##	Allow the specified domain to read
+##	apache log files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_read_log',`
+	gen_require(`
+		type httpd_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 httpd_log_t:dir r_dir_perms;
+	allow $1 httpd_log_t:file r_file_perms;
+	allow $1 httpd_log_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to append to the
 ##	Apache logs.
 ## </summary>
@@ -467,6 +487,27 @@ interface(`apache_list_modules',`
 
 ########################################
 ## <summary>
+##	Allow the specified domain to manage
+##	apache system content files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
+interface(`apache_manage_sys_content',`
+	gen_require(`
+		type httpd_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 httpd_sys_content_t:dir create_dir_perms;
+	allow $1 httpd_sys_content_t:file create_file_perms;
+	allow $1 httpd_sys_content_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
 ##	Execute all web scripts in the system
 ##	script domain.
 ## </summary>
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index cc80db1..0d885fc 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -262,4 +262,8 @@ ifdef(`targeted_policy',`
 	optional_policy(`vpn.te',`
 		vpn_run(sysadm_t,sysadm_r,admin_terminal)
 	')
+
+	optional_policy(`webalizer.te',`
+		webalizer_run(sysadm_t,sysadm_r,admin_terminal)
+	')
 ')

More information about the scm-commits mailing list