From 0cf6df55e5bca9a70d952cb99aa60738c26751c3 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 17 Sep 2007 17:25:40 +0000
Subject: [PATCH] trunk: add awstats from Stefan Schulze Frielinghaus.

---
 Changelog                      |  1 +
 policy/modules/apps/awstats.fc |  5 +++
 policy/modules/apps/awstats.if | 42 +++++++++++++++++++
 policy/modules/apps/awstats.te | 77 ++++++++++++++++++++++++++++++++++
 4 files changed, 125 insertions(+)
 create mode 100644 policy/modules/apps/awstats.fc
 create mode 100644 policy/modules/apps/awstats.if
 create mode 100644 policy/modules/apps/awstats.te

diff --git a/Changelog b/Changelog
index 06ef1947..5f55572a 100644
--- a/Changelog
+++ b/Changelog
@@ -17,6 +17,7 @@
 - Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
 - Added modules:
 	application
+	awstats (Stefan Schulze Frielinghaus)
 	bitlbee (Devin Carraway)
 	brctl (Dan Walsh)
 
diff --git a/policy/modules/apps/awstats.fc b/policy/modules/apps/awstats.fc
new file mode 100644
index 00000000..5f0fa49d
--- /dev/null
+++ b/policy/modules/apps/awstats.fc
@@ -0,0 +1,5 @@
+/usr/share/awstats/tools/.+\.pl		--	gen_context(system_u:object_r:awstats_exec_t,s0)
+/usr/share/awstats/wwwroot(/.*)?		gen_context(system_u:object_r:httpd_awstats_content_t,s0)
+/usr/share/awstats/wwwroot/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
+
+/var/lib/awstats(/.*)?				gen_context(system_u:object_r:awstats_var_lib_t,s0)
diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if
new file mode 100644
index 00000000..83a657ed
--- /dev/null
+++ b/policy/modules/apps/awstats.if
@@ -0,0 +1,42 @@
+## <summary>
+##	AWStats is a free powerful and featureful tool that generates advanced
+##	web, streaming, ftp or mail server statistics, graphically.
+## </summary>
+
+########################################
+## <summary>
+##      Read and write awstats unnamed pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`awstats_rw_pipes',`
+	gen_require(`
+		type awstats_t;
+	')
+
+	allow $1 awstats_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##      Execute awstats cgi scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`awstats_cgi_exec',`
+	gen_require(`
+		type httpd_awstats_script_exec_t;
+	')
+
+	allow $1 httpd_awstats_content_t:dir search_dir_perms;
+	allow $1 httpd_awstats_script_exec_t:dir search_dir_perms;
+	can_exec($1,httpd_awstats_script_exec_t)
+')
diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te
new file mode 100644
index 00000000..a06510ff
--- /dev/null
+++ b/policy/modules/apps/awstats.te
@@ -0,0 +1,77 @@
+
+policy_module(awstats,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type awstats_t;
+type awstats_exec_t;
+domain_type(awstats_t)
+domain_entry_file(awstats_t, awstats_exec_t)
+role system_r types awstats_t;
+
+type awstats_tmp_t;
+files_tmp_file(awstats_tmp_t)
+
+type awstats_var_lib_t;
+files_type(awstats_var_lib_t)
+
+apache_content_template(awstats)
+
+########################################
+#
+# awstats policy
+#
+
+awstats_rw_pipes(awstats_t)
+awstats_cgi_exec(awstats_t)
+
+manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
+
+manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
+files_var_lib_filetrans(awstats_t, awstats_var_lib_t, file)
+
+# dontaudit access to /proc/meminfo
+kernel_dontaudit_read_system_state(awstats_t)
+
+corecmd_exec_bin(awstats_t)
+corecmd_exec_shell(awstats_t)
+
+dev_read_urand(awstats_t)
+
+files_read_etc_files(awstats_t)
+# e.g. /usr/share/awstats/lang/awstats-en.txt
+files_read_usr_files(awstats_t)
+
+libs_read_lib_files(awstats_t)
+libs_use_ld_so(awstats_t)
+libs_use_shared_libs(awstats_t)
+
+miscfiles_read_localization(awstats_t)
+
+sysnet_dns_name_resolve(awstats_t)
+
+apache_read_log(awstats_t)
+
+optional_policy(`
+	cron_system_entry(awstats_t, awstats_exec_t)
+')
+
+optional_policy(`
+	# dontaudit searching nscd pid directory
+	nscd_dontaudit_search_pid(awstats_t)
+')
+
+########################################
+#
+# awstats cgi script policy
+#
+
+allow httpd_awstats_script_t awstats_var_lib_t:dir read;
+
+read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+files_search_var_lib(httpd_awstats_script_t)