diff --git a/refpolicy/policy/constraints b/refpolicy/policy/constraints
index d10a959..df25edb 100644
--- a/refpolicy/policy/constraints
+++ b/refpolicy/policy/constraints
@@ -37,9 +37,10 @@ constrain process transition
ifdef(`crond.te', `
or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
')
-ifdef(`TODO',`
ifdef(`userhelper.te',
- `or (t1 == userhelperdomain)')
+ `or (t1 == userhelperdomain)
+')
+ifdef(`TODO',`
or (t1 == priv_system_role and u2 == system_u )
') dnl end TODO
);
@@ -52,13 +53,15 @@ constrain process transition
ifdef(`crond.te', `
or (t1 == crond_t and t2 == user_crond_domain)
')
-ifdef(`TODO',`
ifdef(`userhelper.te',
- `or (t1 == userhelperdomain)')
+ `or (t1 == userhelperdomain)
+')
ifdef(`postfix.te', `
ifdef(`direct_sysadm_daemon',
- `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
+ `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )
+')
')
+ifdef(`TODO',`
or (t1 == priv_system_role and r2 == system_r )
') dnl end TODO
);
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 66d899e..28dba7a 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -59,6 +59,10 @@ optional_policy(`authlogin.te', `
auth_read_pam_pid(consoletype_t)
')
+optional_policy(`logrotate.te',`
+ logrotate_dontaudit_use_fd(consoletype_t)
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(consoletype_t)
')
diff --git a/refpolicy/policy/modules/admin/logrotate.fc b/refpolicy/policy/modules/admin/logrotate.fc
new file mode 100644
index 0000000..618ff00
--- /dev/null
+++ b/refpolicy/policy/modules/admin/logrotate.fc
@@ -0,0 +1,16 @@
+/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t
+
+/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t
+/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t
+
+/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t
+
+# using a hard-coded name under /var/tmp is a bug - new version fixes it
+/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t
+
+ifdef(`distro_debian', `
+/usr/bin/savelog -- system_u:object_r:logrotate_exec_t
+/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t
+', `
+/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t
+')
diff --git a/refpolicy/policy/modules/admin/logrotate.if b/refpolicy/policy/modules/admin/logrotate.if
new file mode 100644
index 0000000..134a886
--- /dev/null
+++ b/refpolicy/policy/modules/admin/logrotate.if
@@ -0,0 +1,84 @@
+## Rotate and archive system logs
+
+########################################
+##
+## Execute logrotate in the logrotate domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`logrotate_domtrans',`
+ gen_require(`
+ type logrotate_t, logrotate_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ domain_auto_trans($1,logrotate_exec_t,logrotate_t)
+
+ allow $1 logrotate_t:fd use;
+ allow logrotate_t $1:fd use;
+ allow logrotate_t $1:fifo_file rw_file_perms;
+ allow logrotate_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute logrotate in the logrotate domain, and
+## allow the specified role the logrotate domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the logrotate domain.
+##
+##
+## The type of the terminal allow the logrotate domain to use.
+##
+#
+interface(`logrotate_run',`
+ gen_require(`
+ type logrotate_t;
+ class chr_file rw_term_perms;
+ ')
+
+ logrotate_domtrans($1)
+ role $2 types logrotate_t;
+ allow logrotate_t $3:chr_file rw_term_perms;
+')
+
+########################################
+##
+## Execute logrotate in the caller domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`logrotate_exec',`
+ gen_require(`
+ type logrotate_exec_t;
+ ')
+
+ can_exec($1,logrotate_exec_t)
+')
+
+########################################
+##
+## Do not audit attempts to inherit logrotate file descriptors.
+##
+##
+## The type of the process to not audit.
+##
+#
+interface(`logrotate_dontaudit_use_fd',`
+ gen_require(`
+ type logrotate_t;
+ class fd;
+ ')
+
+ dontaudit $1 logrotate_t:fd use;
+')
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
new file mode 100644
index 0000000..e616644
--- /dev/null
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -0,0 +1,163 @@
+
+policy_module(logrotate,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type logrotate_t; #, priv_system_role, nscd_client_domain;
+domain_type(logrotate_t)
+domain_obj_id_change_exempt(logrotate_t)
+role system_r types logrotate_t;
+
+type logrotate_exec_t;
+files_file_type(logrotate_exec_t)
+
+type logrotate_tmp_t;
+files_tmp_file(logrotate_tmp_t)
+
+type logrotate_var_lib_t;
+files_file_type(logrotate_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
+# for mailx
+dontaudit logrotate_t self:capability { setuid setgid };
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+
+# Set a context other than the default one for newly created files.
+allow logrotate_t self:process setfscreate;
+
+allow logrotate_t self:fd use;
+allow logrotate_t self:fifo_file rw_file_perms;
+allow logrotate_t self:unix_dgram_socket create_socket_perms;
+allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
+allow logrotate_t self:unix_dgram_socket sendto;
+allow logrotate_t self:unix_stream_socket connectto;
+allow logrotate_t self:shm create_shm_perms;
+allow logrotate_t self:sem create_sem_perms;
+allow logrotate_t self:msgq create_msgq_perms;
+allow logrotate_t self:msg { send receive };
+
+can_exec(logrotate_t, logrotate_tmp_t)
+
+allow logrotate_t logrotate_tmp_t:dir create_dir_perms;
+allow logrotate_t logrotate_tmp_t:file create_file_perms;
+files_create_tmp_files(logrotate_t, logrotate_tmp_t, { file dir })
+
+allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms };
+
+kernel_read_system_state(logrotate_t)
+kernel_read_kernel_sysctl(logrotate_t)
+
+dev_read_urand(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_xattr_fs(logrotate_t)
+
+selinux_get_fs_mount(logrotate_t)
+
+auth_manage_login_records(logrotate_t)
+
+# Run helper programs.
+corecmd_exec_bin(logrotate_t)
+corecmd_exec_sbin(logrotate_t)
+corecmd_exec_shell(logrotate_t)
+corecmd_exec_ls(logrotate_t)
+
+domain_signal_all_domains(logrotate_t)
+domain_use_wide_inherit_fd(logrotate_t)
+
+files_read_usr_files(logrotate_t)
+files_read_generic_etc_files(logrotate_t)
+files_read_etc_runtime_files(logrotate_t)
+files_manage_generic_lock_files(logrotate_t)
+files_read_all_pids(logrotate_t)
+# Write to /var/spool/slrnpull - should be moved into its own type.
+files_manage_spools(logrotate_t)
+files_manage_spool_dirs(logrotate_t)
+
+hostname_exec(logrotate_t)
+
+# cjp: why is this needed?
+init_domtrans_script(logrotate_t)
+
+logging_manage_all_logs(logrotate_t)
+# cjp: why is this needed?
+logging_exec_all_logs(logrotate_t)
+
+libs_use_ld_so(logrotate_t)
+libs_use_shared_libs(logrotate_t)
+
+miscfiles_read_localization(logrotate_t)
+
+sysnet_read_config(logrotate_t)
+
+userdom_use_unpriv_users_fd(logrotate_t)
+
+cron_system_entry(logrotate_t, logrotate_exec_t)
+cron_search_spool(logrotate_t)
+
+mta_send_mail(logrotate_t)
+
+ifdef(`distro_debian', `
+ allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
+ # for savelog
+ can_exec(logrotate_t, logrotate_exec_t)
+')
+
+optional_policy(`consoletype.te',`
+ consoletype_exec(logrotate_t)
+
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(logrotate_t)
+')
+
+ifdef(`TODO',`
+
+#from privmail this needs more work:
+allow mta_user_agent logrotate_t:fd use;
+allow mta_user_agent logrotate_t:process sigchld;
+allow mta_user_agent logrotate_t:fifo_file { read write };
+
+ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
+
+# it should not require this
+allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
+
+# Read /proc/PID directories for all domains.
+allow logrotate_t domain:notdevfile_class_set r_file_perms;
+allow logrotate_t domain:dir r_dir_perms;
+allow logrotate_t exec_type:file getattr;
+
+#this should go to squid:
+ifdef(`squid.te', `
+allow squid_t { system_crond_t crond_t }:fd use;
+allow squid_t crond_t:fifo_file { read write };
+allow squid_t system_crond_t:fifo_file write;
+allow squid_t self:capability kill;
+')
+
+# for /var/lib/logrotate.status and /var/lib/logcheck
+file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file)
+
+allow crond_t logrotate_var_lib_t:dir search;
+
+# for /var/backups on Debian
+ifdef(`backup.te', `
+rw_dir_create_file(logrotate_t, backup_store_t)
+')
+
+allow logrotate_t syslogd_t:unix_dgram_socket sendto;
+
+dontaudit logrotate_t selinux_config_t:dir search;
+') dnl end TODO
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index d611f0e..5c13c28 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -309,6 +309,7 @@ interface(`cron_system_entry',`
##
## The type of the process to performing this action.
##
+#
interface(`cron_rw_log',`
gen_require(`
type crond_log_t;
@@ -318,3 +319,21 @@ interface(`cron_rw_log',`
logging_search_logs($1)
allow $1 crond_log_t:file rw_file_perms;
')
+
+########################################
+##
+## Search the directory containing user cron tables.
+##
+##
+## The type of the process to performing this action.
+##
+#
+interface(`cron_search_spool',`
+ gen_require(`
+ type cron_spool_t;
+ class dir search;
+ ')
+
+ files_search_spool($1)
+ allow $1 cron_spool_t:dir search;
+')
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 2a3e676..0ac3e9f 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -222,4 +222,8 @@ allow system_mail_t system_crond_tmp_t:file r_file_perms;
allow mta_user_agent system_crond_tmp_t:file r_file_perms;
')
+optional_policy(`logrotate.te', `
+ allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
+')
+
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 3df2761..6fcb4d0 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -640,3 +640,16 @@ interface(`auth_rw_login_records',`
logging_search_logs($1)
')
+#######################################
+#
+# auth_manage_login_records(domain)
+#
+interface(`auth_manage_login_records',`
+ gen_require(`
+ type wtmp_t;
+ class file create_file_perms;
+ ')
+
+ logging_rw_log_dir($1)
+ allow $1 wtmp_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 9f70fef..c28b1fb 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1246,6 +1246,20 @@ interface(`files_list_spool',`
########################################
#
+# files_manage_spool_dirs(domain)
+#
+interface(`files_manage_spool_dirs',`
+ gen_require(`
+ type var_t, var_spool_t;
+ class dir create_dir_perms;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir create_dir_perms;
+')
+
+########################################
+#
# files_read_spools(domain)
#
interface(`files_read_spools',`
@@ -1275,4 +1289,3 @@ interface(`files_manage_spools',`
allow $1 var_spool_t:dir rw_dir_perms;
allow $1 var_spool_t:file create_file_perms;
')
-
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index e3da815..07a65c5 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -79,6 +79,24 @@ interface(`logging_search_logs',`
')
#######################################
+##
+## Read and write the generic log directory (/var/log).
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`logging_rw_log_dir',`
+ gen_require(`
+ type var_log_t;
+ class dir rw_dir_perms;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir rw_dir_perms;
+')
+
+#######################################
#
# logging_dontaudit_getattr_all_logs(domain)
#
@@ -127,6 +145,38 @@ interface(`logging_read_all_logs',`
#######################################
#
+# logging_exec_all_logs(domain)
+#
+interface(`logging_exec_all_logs',`
+ gen_require(`
+ attribute logfile;
+ class dir r_dir_perms;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir r_dir_perms;
+ can_exec($1,logfile)
+')
+
+#######################################
+#
+# logging_manage_all_logs(domain)
+#
+interface(`logging_manage_all_logs',`
+ gen_require(`
+ attribute logfile;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir rw_dir_perms;
+ allow $1 logfile:lnk_file read;
+ allow $1 logfile:file create_file_perms;
+')
+
+#######################################
+#
# logging_read_generic_logs(domain)
#
interface(`logging_read_generic_logs',`
@@ -172,4 +222,3 @@ interface(`logging_rw_generic_logs',`
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file rw_file_perms;
')
-
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 2b757c8..8998808 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -110,6 +110,10 @@ optional_policy(`modutils.te',`
modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
')
+optional_policy(`logrotate.te',`
+ logrotate_run(sysadm_t,sysadm_r,admin_terminal)
+')
+
optional_policy(`mount.te',`
mount_run(sysadm_t,sysadm_r,admin_terminal)
')