Blame strict/domains/program/webalizer.te
|
Chris PeBenito |
0fbfa5 |
# DESC webalizer - webalizer
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Yuichi Nakamura (ynakam @ selinux.gr.jp)
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Depends: apache.te
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
application_domain(webalizer)
|
|
Chris PeBenito |
0fbfa5 |
# to use from cron
|
|
Chris PeBenito |
0fbfa5 |
system_crond_entry(webalizer_exec_t,webalizer_t)
|
|
Chris PeBenito |
0fbfa5 |
role system_r types webalizer_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
##type definision
|
|
Chris PeBenito |
0fbfa5 |
# type for usage file
|
|
Chris PeBenito |
0fbfa5 |
type webalizer_usage_t,file_type,sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
# type for /var/lib/webalizer
|
|
Chris PeBenito |
0fbfa5 |
type webalizer_write_t,file_type,sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
# type for webalizer.conf
|
|
Chris PeBenito |
0fbfa5 |
etc_domain(webalizer)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#read apache log
|
|
Chris PeBenito |
0fbfa5 |
allow webalizer_t var_log_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(webalizer_t, httpd_log_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#r/w /var/lib/webalizer
|
|
Chris PeBenito |
0fbfa5 |
var_lib_domain(webalizer)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#read /var/www/usage
|
|
Chris PeBenito |
0fbfa5 |
create_dir_file(webalizer_t, httpd_sys_content_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#read system files under /etc
|
|
Chris PeBenito |
0fbfa5 |
allow webalizer_t { etc_t etc_runtime_t }:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
read_locale(webalizer_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# can use tmp file
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(webalizer)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# can read /proc
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(webalizer_t)
|
|
Chris PeBenito |
0fbfa5 |
allow webalizer_t proc_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow webalizer_t proc_t:file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# network
|
|
Chris PeBenito |
0fbfa5 |
can_network_server(webalizer_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#process communication inside webalizer itself
|
|
Chris PeBenito |
0fbfa5 |
general_domain_access(webalizer_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow webalizer_t self:capability dac_override;
|