diff --git a/refpolicy/policy/modules/apps/webalizer.if b/refpolicy/policy/modules/apps/webalizer.if
index 4c7a274..8d56589 100644
--- a/refpolicy/policy/modules/apps/webalizer.if
+++ b/refpolicy/policy/modules/apps/webalizer.if
@@ -1 +1,47 @@
## Web server log analysis
+
+########################################
+##
+## Execute webalizer in the webalizer domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`webalizer_domtrans',`
+ gen_require(`
+ type webalizer_t, webalizer_exec_t;
+ ')
+
+ domain_auto_trans($1,webalizer_exec_t,webalizer_t)
+
+ allow $1 webalizer_t:fd use;
+ allow webalizer_t $1:fd use;
+ allow webalizer_t $1:fifo_file rw_file_perms;
+ allow webalizer_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute webalizer in the webalizer domain, and
+## allow the specified role the webalizer domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the webalizer domain.
+##
+##
+## The type of the terminal allow the webalizer domain to use.
+##
+#
+interface(`webalizer_run',`
+ gen_require(`
+ type webalizer_t;
+ ')
+
+ webalizer_domtrans($1)
+ role $2 types webalizer_t;
+ allow webalizer_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te
index 8602aba..2d58940 100644
--- a/refpolicy/policy/modules/apps/webalizer.te
+++ b/refpolicy/policy/modules/apps/webalizer.te
@@ -86,6 +86,9 @@ sysnet_read_config(webalizer_t)
userdom_use_unpriv_users_fd(webalizer_t)
+apache_read_log(webalizer_t)
+apache_manage_sys_content(webalizer_t)
+
optional_policy(`nis.te',`
nis_use_ypbind(webalizer_t)
')
@@ -97,17 +100,3 @@ optional_policy(`nscd.te',`
optional_policy(`cron.te',`
cron_system_entry(webalizer_t,webalizer_exec_t)
')
-
-ifdef(`TODO',`
-# a "run" interface needs to be
-# added, and have sysadm_t use it
-# in a optional_policy block.
-
-allow webalizer_t httpd_log_t:dir { getattr read search };
-allow webalizer_t httpd_log_t:file { read getattr };
-allow webalizer_t httpd_log_t:lnk_file { getattr read };
-
-allow webalizer_t httpd_sys_content_t:dir create_dir_perms;
-allow webalizer_t httpd_sys_content_t:file create_file_perms;
-allow webalizer_t httpd_sys_content_t:lnk_file create_lnk_perms;
-')
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 155c9a3..3966860 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -432,6 +432,26 @@ interface(`apache_run_helper',`
########################################
##
+## Allow the specified domain to read
+## apache log files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`apache_read_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 httpd_log_t:dir r_dir_perms;
+ allow $1 httpd_log_t:file r_file_perms;
+ allow $1 httpd_log_t:lnk_file { getattr read };
+')
+
+########################################
+##
## Do not audit attempts to append to the
## Apache logs.
##
@@ -467,6 +487,27 @@ interface(`apache_list_modules',`
########################################
##
+## Allow the specified domain to manage
+## apache system content files.
+##
+##
+## Domain allowed access.
+##
+#
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
+interface(`apache_manage_sys_content',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 httpd_sys_content_t:dir create_dir_perms;
+ allow $1 httpd_sys_content_t:file create_file_perms;
+ allow $1 httpd_sys_content_t:lnk_file create_lnk_perms;
+')
+
+########################################
+##
## Execute all web scripts in the system
## script domain.
##
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index cc80db1..0d885fc 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -262,4 +262,8 @@ ifdef(`targeted_policy',`
optional_policy(`vpn.te',`
vpn_run(sysadm_t,sysadm_r,admin_terminal)
')
+
+ optional_policy(`webalizer.te',`
+ webalizer_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
')