From 020cbefc48cfc80fe91d309f3313e10015403f30 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 10 Jan 2006 14:39:21 +0000
Subject: [PATCH] add logwatch

---
 refpolicy/Changelog                        |   1 +
 refpolicy/policy/modules/admin/logwatch.fc |   4 +
 refpolicy/policy/modules/admin/logwatch.if |  18 ++++
 refpolicy/policy/modules/admin/logwatch.te | 103 +++++++++++++++++++++
 refpolicy/policy/modules/services/mta.te   |   4 +
 5 files changed, 130 insertions(+)
 create mode 100644 refpolicy/policy/modules/admin/logwatch.fc
 create mode 100644 refpolicy/policy/modules/admin/logwatch.if
 create mode 100644 refpolicy/policy/modules/admin/logwatch.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 27d3510b..ba537393 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -8,6 +8,7 @@
 	ddcprobe
 	fetchmail
 	irc
+	logwatch (Dan Walsh)
 	openct
 	readahead
 	slrnpull
diff --git a/refpolicy/policy/modules/admin/logwatch.fc b/refpolicy/policy/modules/admin/logwatch.fc
new file mode 100644
index 00000000..67ff2c13
--- /dev/null
+++ b/refpolicy/policy/modules/admin/logwatch.fc
@@ -0,0 +1,4 @@
+
+/usr/share/logwatch/scripts/logwatch.pl	--	gen_context(system_u:object_r:logwatch_exec_t, s0)
+
+/var/cache/logwatch(/.*)?			gen_context(system_u:object_r:logwatch_cache_t, s0)
diff --git a/refpolicy/policy/modules/admin/logwatch.if b/refpolicy/policy/modules/admin/logwatch.if
new file mode 100644
index 00000000..5a5deb1b
--- /dev/null
+++ b/refpolicy/policy/modules/admin/logwatch.if
@@ -0,0 +1,18 @@
+## <summary>System log analyzer and reporter</summary>
+
+########################################
+## <summary>
+##	Read logwatch temporary files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`logwatch_read_tmp_files',`
+	gen_require(`
+		type logwatch_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 logwatch_tmp_t:file r_file_perms;
+')
diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te
new file mode 100644
index 00000000..886bf37f
--- /dev/null
+++ b/refpolicy/policy/modules/admin/logwatch.te
@@ -0,0 +1,103 @@
+
+policy_module(logwatch,1.0.0)
+
+#################################
+#
+# Declarations
+#
+
+type logwatch_t;
+type logwatch_exec_t;
+domain_type(logwatch_t)
+domain_entry_file(logwatch_t,logwatch_exec_t)
+role system_r types logwatch_t;
+
+type logwatch_cache_t;
+files_type(logwatch_cache_t)
+
+type logwatch_tmp_t;
+files_tmp_file(logwatch_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow logwatch_t self:capability setgid;
+allow logwatch_t self:fifo_file rw_file_perms;
+allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
+
+allow logwatch_t logwatch_cache_t:dir create_dir_perms;
+allow logwatch_t logwatch_cache_t:file create_file_perms;
+
+allow logwatch_t logwatch_tmp_t:dir create_dir_perms;
+allow logwatch_t logwatch_tmp_t:file create_file_perms;
+files_create_tmp_files(logwatch_t, logwatch_tmp_t, { file dir })
+
+kernel_read_fs_sysctl(logwatch_t)
+kernel_read_kernel_sysctl(logwatch_t)
+kernel_read_system_state(logwatch_t)
+
+corecmd_read_sbin_file(logwatch_t)
+corecmd_exec_bin(logwatch_t)
+corecmd_exec_shell(logwatch_t)
+
+dev_read_urand(logwatch_t)
+
+# Read /proc/PID directories for all domains.
+domain_read_all_domains_state(logwatch_t)
+
+files_read_etc_files(logwatch_t)
+files_read_etc_runtime_files(logwatch_t)
+files_read_usr_files(logwatch_t)
+files_search_spool(logwatch_t)
+files_dontaudit_search_home(logwatch_t)
+
+fs_getattr_all_fs(logwatch_t)
+
+term_dontaudit_getattr_pty_dir(logwatch_t)
+term_dontaudit_list_ptys(logwatch_t)
+
+auth_dontaudit_read_shadow(logwatch_t)
+
+libs_use_ld_so(logwatch_t)
+libs_use_shared_libs(logwatch_t)
+libs_read_lib(logwatch_t)
+
+logging_read_all_logs(logwatch_t)
+
+miscfiles_read_localization(logwatch_t)
+
+userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
+userdom_dontaudit_getattr_sysadm_home_dir(logwatch_t)
+
+mta_send_mail(logwatch_t)
+
+optional_policy(`apache',`
+	apache_read_log(logwatch_t)
+')
+
+optional_policy(`bind',`
+	bind_read_config(logwatch_t)
+	bind_read_zone(logwatch_t)
+')
+
+optional_policy(`cron',`
+	cron_system_entry(logwatch_t, logwatch_exec_t)
+')
+
+optional_policy(`mta',`
+	mta_getattr_spool(logwatch_t)
+')
+
+optional_policy(`nscd',`
+	nscd_use_socket(logwatch_t)
+')
+
+optional_policy(`rpc',`
+	rpc_search_nfs_state_data(logwatch_t)
+')
+
+optional_policy(`samba',`
+	samba_read_log(logwatch_t)
+')
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 07a191e4..d7f0008c 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -124,6 +124,10 @@ optional_policy(`logrotate',`
 	logrotate_read_tmp_files(system_mail_t)
 ')
 
+optional_policy(`logwatch',`
+	logwatch_read_tmp_files(system_mail_t)
+')
+
 optional_policy(`postfix',`
 	allow system_mail_t etc_aliases_t:dir create_dir_perms;
 	allow system_mail_t etc_aliases_t:file create_file_perms;