patches from erich Wed, 13 Sep 2006 16:18:18 +0200

policy/modules/admin/apt.te

@@ -97,7 +97,7 @@ files_exec_usr_files(apt_t)
 files_read_etc_files(apt_t)
 files_read_etc_runtime_files(apt_t)
 
-fs_dontaudit_getattr_all_fs(apt_t)
+fs_getattr_all_fs(apt_t)
 
 term_list_ptys(apt_t)
 term_use_all_terms(apt_t)

policy/modules/admin/logrotate.fc

@@ -1,13 +1,7 @@
 /etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
 
-/usr/sbin/logcheck	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 /usr/sbin/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 
-/var/lib/logcheck(/.*)?		gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-
-# using a hard-coded name under /var/tmp is a bug - new version fixes it
-/var/tmp/logcheck	-d	gen_context(system_u:object_r:logrotate_tmp_t,s0)
-
 ifdef(`distro_debian', `
 /usr/bin/savelog	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 /var/lib/logrotate(/.*)?	gen_context(system_u:object_r:logrotate_var_lib_t,s0)

policy/modules/admin/logwatch.fc

@@ -1,4 +1,7 @@
+/usr/sbin/logcheck	--	gen_context(system_u:object_r:logwatch_exec_t,s0)
 
-/usr/share/logwatch/scripts/logwatch\.pl	--	gen_context(system_u:object_r:logwatch_exec_t, s0)
+/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
 
-/var/cache/logwatch(/.*)?			gen_context(system_u:object_r:logwatch_cache_t, s0)
+/var/cache/logwatch(/.*)?	gen_context(system_u:object_r:logwatch_cache_t, s0)
+/var/lib/logcheck(/.*)?		gen_context(system_u:object_r:logwatch_cache_t,s0)
+/var/log/logcheck/.+	--	gen_context(system_u:object_r:logwatch_lock_t,s0)

policy/modules/admin/logwatch.if

@@ -18,3 +18,21 @@ interface(`logwatch_read_tmp_files',`
 	files_search_tmp($1)
 	allow $1 logwatch_tmp_t:file r_file_perms;
 ')
+
+########################################
+## <summary>
+##	Search logwatch cache directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logwatch_search_cache_dir',`
+	gen_require(`
+		type logwatch_cache_t;
+	')
+
+	allow $1 logwatch_cache_t:dir search;
+')

policy/modules/admin/logwatch.te

@@ -15,6 +15,9 @@ role system_r types logwatch_t;
 type logwatch_cache_t;
 files_type(logwatch_cache_t)
 
+type logwatch_lock_t;
+files_lock_file(logwatch_lock_t)
+
 type logwatch_tmp_t;
 files_tmp_file(logwatch_tmp_t)
 
@@ -24,12 +27,16 @@ files_tmp_file(logwatch_tmp_t)
 #
 
 allow logwatch_t self:capability { dac_override dac_read_search setgid };
+allow logwatch_t self:process signal;
 allow logwatch_t self:fifo_file rw_file_perms;
 allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
 
 allow logwatch_t logwatch_cache_t:dir create_dir_perms;
 allow logwatch_t logwatch_cache_t:file create_file_perms;
 
+allow logwatch_t logwatch_lock_t:file manage_file_perms;
+files_lock_filetrans(logwatch_t,logwatch_lock_t,file)
+
 allow logwatch_t logwatch_tmp_t:dir create_dir_perms;
 allow logwatch_t logwatch_tmp_t:file create_file_perms;
 files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
@@ -41,7 +48,9 @@ kernel_read_system_state(logwatch_t)
 corecmd_read_sbin_symlinks(logwatch_t)
 corecmd_read_sbin_files(logwatch_t)
 corecmd_exec_bin(logwatch_t)
+corecmd_exec_sbin(logwatch_t)
 corecmd_exec_shell(logwatch_t)
+corecmd_exec_ls(logwatch_t)
 
 dev_read_urand(logwatch_t)
 
@@ -92,6 +101,10 @@ optional_policy(`
 	cron_system_entry(logwatch_t, logwatch_exec_t)
 ')
 
+optional_policy(`
+	hostname_exec(logwatch_t)
+')
+
 optional_policy(`
 	mta_getattr_spool(logwatch_t)
 ')

policy/modules/services/cron.te

@@ -140,6 +140,13 @@ userdom_list_all_users_home_dirs(crond_t)
 
 mta_send_mail(crond_t)
 
+ifdef(`distro_debian',`
+	optional_policy(`
+		# Debian logcheck has the home dir set to its cache
+		logwatch_search_cache_dir(crond_t)
+	')
+')
+
 ifdef(`distro_redhat', `
 	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 	# via redirection of standard out.