Chris PeBenito 0fbfa5
# DESC webalizer - webalizer
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author: Yuichi Nakamura (ynakam @ selinux.gr.jp)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Depends: apache.te
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
application_domain(webalizer)
Chris PeBenito 0fbfa5
# to use from cron
Chris PeBenito 0fbfa5
system_crond_entry(webalizer_exec_t,webalizer_t)
Chris PeBenito 0fbfa5
role system_r types webalizer_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##type definision
Chris PeBenito 0fbfa5
# type for usage file
Chris PeBenito 0fbfa5
type webalizer_usage_t,file_type,sysadmfile;
Chris PeBenito 0fbfa5
# type for /var/lib/webalizer
Chris PeBenito 0fbfa5
type webalizer_write_t,file_type,sysadmfile;
Chris PeBenito 0fbfa5
# type for webalizer.conf
Chris PeBenito 0fbfa5
etc_domain(webalizer)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#read apache log
Chris PeBenito 0fbfa5
allow webalizer_t var_log_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
r_dir_file(webalizer_t, httpd_log_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#r/w /var/lib/webalizer
Chris PeBenito 0fbfa5
var_lib_domain(webalizer)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#read /var/www/usage
Chris PeBenito 0fbfa5
create_dir_file(webalizer_t, httpd_sys_content_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#read system files under /etc
Chris PeBenito 0fbfa5
allow webalizer_t { etc_t etc_runtime_t }:file { getattr read };
Chris PeBenito 0fbfa5
read_locale(webalizer_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# can use tmp file
Chris PeBenito 0fbfa5
tmp_domain(webalizer)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# can read /proc
Chris PeBenito 0fbfa5
read_sysctl(webalizer_t)
Chris PeBenito 0fbfa5
allow webalizer_t proc_t:dir search;
Chris PeBenito 0fbfa5
allow webalizer_t proc_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# network
Chris PeBenito 0fbfa5
can_network_server(webalizer_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#process communication inside webalizer itself
Chris PeBenito 0fbfa5
general_domain_access(webalizer_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow webalizer_t self:capability dac_override;