trunk: add awstats from Stefan Schulze Frielinghaus.

2007-09-17 17:25:40 +00:00 · 2007-09-17 17:25:40 +00:00 · 0cf6df55e5
parent 8242f5a68d
commit 0cf6df55e5
4 changed files with 125 additions and 0 deletions
--- a/1
+++ b/1
@ -17,6 +17,7 @@
 - Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
 - Added modules:
 	application
+	awstats (Stefan Schulze Frielinghaus)
 	bitlbee (Devin Carraway)
 	brctl (Dan Walsh)

--- a/policy/modules/apps/awstats.fc
+++ b/policy/modules/apps/awstats.fc
@ -0,0 +1,5 @@
+/usr/share/awstats/tools/.+\.pl		--	gen_context(system_u:object_r:awstats_exec_t,s0)
+/usr/share/awstats/wwwroot(/.*)?		gen_context(system_u:object_r:httpd_awstats_content_t,s0)
+/usr/share/awstats/wwwroot/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
+
+/var/lib/awstats(/.*)?				gen_context(system_u:object_r:awstats_var_lib_t,s0)
--- a/policy/modules/apps/awstats.if
+++ b/policy/modules/apps/awstats.if
@ -0,0 +1,42 @@
+## <summary>
+##	AWStats is a free powerful and featureful tool that generates advanced
+##	web, streaming, ftp or mail server statistics, graphically.
+## </summary>
+
+########################################
+## <summary>
+##      Read and write awstats unnamed pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`awstats_rw_pipes',`
+	gen_require(`
+		type awstats_t;
+	')
+
+	allow $1 awstats_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##      Execute awstats cgi scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`awstats_cgi_exec',`
+	gen_require(`
+		type httpd_awstats_script_exec_t;
+	')
+
+	allow $1 httpd_awstats_content_t:dir search_dir_perms;
+	allow $1 httpd_awstats_script_exec_t:dir search_dir_perms;
+	can_exec($1,httpd_awstats_script_exec_t)
+')
--- a/policy/modules/apps/awstats.te
+++ b/policy/modules/apps/awstats.te
@ -0,0 +1,77 @@
+
+policy_module(awstats,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type awstats_t;
+type awstats_exec_t;
+domain_type(awstats_t)
+domain_entry_file(awstats_t, awstats_exec_t)
+role system_r types awstats_t;
+
+type awstats_tmp_t;
+files_tmp_file(awstats_tmp_t)
+
+type awstats_var_lib_t;
+files_type(awstats_var_lib_t)
+
+apache_content_template(awstats)
+
+########################################
+#
+# awstats policy
+#
+
+awstats_rw_pipes(awstats_t)
+awstats_cgi_exec(awstats_t)
+
+manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
+
+manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
+files_var_lib_filetrans(awstats_t, awstats_var_lib_t, file)
+
+# dontaudit access to /proc/meminfo
+kernel_dontaudit_read_system_state(awstats_t)
+
+corecmd_exec_bin(awstats_t)
+corecmd_exec_shell(awstats_t)
+
+dev_read_urand(awstats_t)
+
+files_read_etc_files(awstats_t)
+# e.g. /usr/share/awstats/lang/awstats-en.txt
+files_read_usr_files(awstats_t)
+
+libs_read_lib_files(awstats_t)
+libs_use_ld_so(awstats_t)
+libs_use_shared_libs(awstats_t)
+
+miscfiles_read_localization(awstats_t)
+
+sysnet_dns_name_resolve(awstats_t)
+
+apache_read_log(awstats_t)
+
+optional_policy(`
+	cron_system_entry(awstats_t, awstats_exec_t)
+')
+
+optional_policy(`
+	# dontaudit searching nscd pid directory
+	nscd_dontaudit_search_pid(awstats_t)
+')
+
+########################################
+#
+# awstats cgi script policy
+#
+
+allow httpd_awstats_script_t awstats_var_lib_t:dir read;
+
+read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+files_search_var_lib(httpd_awstats_script_t)