From 99c902f305c5fff5945da698e5dcfa3b89482e89 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mar 21 2006 20:12:24 +0000
Subject: add calamaris, bug 1518


---

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 1730699..4c4530d 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -12,6 +12,7 @@
 	amavis (Erich Schubert)
 	apt (Erich Schubert)
 	audioentropy
+	calamaris
 	clamav (Erich Schubert)
 	dpkg (Erich Schubert)
 	ethereal
diff --git a/refpolicy/policy/modules/apps/calamaris.fc b/refpolicy/policy/modules/apps/calamaris.fc
new file mode 100644
index 0000000..9cbd0a0
--- /dev/null
+++ b/refpolicy/policy/modules/apps/calamaris.fc
@@ -0,0 +1,10 @@
+#
+# /etc
+#
+/etc/cron\.daily/calamaris --	gen_context(system_u:object_r:calamaris_exec_t,s0)
+
+#
+# /var
+#
+/var/log/calamaris(/.*)?	gen_context(system_u:object_r:calamaris_log_t,s0)
+/var/www/calamaris(/.*)?	gen_context(system_u:object_r:calamaris_www_t,s0)
diff --git a/refpolicy/policy/modules/apps/calamaris.if b/refpolicy/policy/modules/apps/calamaris.if
new file mode 100644
index 0000000..e180a59
--- /dev/null
+++ b/refpolicy/policy/modules/apps/calamaris.if
@@ -0,0 +1,21 @@
+## <summary>Squid log analysis</summary>
+
+#######################################
+## <summary>
+##	Allow domain to read calamaris www files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`calamaris_read_www_files',`
+	gen_require(`
+		type calamaris_www_t;
+	')
+
+	allow $1 calamaris_www_t:dir r_dir_perms;
+	allow $1 calamaris_www_t:file r_file_perms;
+	allow $1 calamaris_www_t:lnk_file { getattr read };
+')
diff --git a/refpolicy/policy/modules/apps/calamaris.te b/refpolicy/policy/modules/apps/calamaris.te
new file mode 100644
index 0000000..ab87bf2
--- /dev/null
+++ b/refpolicy/policy/modules/apps/calamaris.te
@@ -0,0 +1,97 @@
+
+policy_module(calamaris,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type calamaris_t;
+type calamaris_exec_t;
+init_system_domain(calamaris_t,calamaris_exec_t)
+
+type calamaris_www_t;
+files_type(calamaris_www_t)
+
+type calamaris_log_t;
+logging_log_file(calamaris_log_t)
+
+########################################
+#
+# Local policy
+#
+
+# for when squid has a different UID
+allow calamaris_t self:capability dac_override;
+allow calamaris_t self:process { fork signal_perms setsched };
+allow calamaris_t self:fifo_file { getattr read write ioctl };
+allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
+allow calamaris_t self:tcp_socket create_stream_socket_perms;
+allow calamaris_t self:udp_socket create_socket_perms;
+
+allow calamaris_t calamaris_www_t:dir rw_dir_perms;
+allow calamaris_t calamaris_www_t:file manage_file_perms;
+allow calamaris_t calamaris_www_t:lnk_file create_lnk_perms;
+
+allow calamaris_t calamaris_log_t:file create_file_perms;
+allow calamaris_t calamaris_log_t:dir rw_dir_perms;
+logging_log_filetrans(calamaris_t,calamaris_log_t,{ file dir })
+
+kernel_read_all_sysctls(calamaris_t)
+kernel_read_system_state(calamaris_t)
+
+corecmd_exec_bin(calamaris_t)
+
+corenet_tcp_sendrecv_generic_if(calamaris_t)
+corenet_udp_sendrecv_generic_if(calamaris_t)
+corenet_raw_sendrecv_generic_if(calamaris_t)
+corenet_tcp_sendrecv_all_nodes(calamaris_t)
+corenet_udp_sendrecv_all_nodes(calamaris_t)
+corenet_raw_sendrecv_all_nodes(calamaris_t)
+corenet_tcp_sendrecv_all_ports(calamaris_t)
+corenet_udp_sendrecv_all_ports(calamaris_t)
+corenet_non_ipsec_sendrecv(calamaris_t)
+corenet_tcp_bind_all_nodes(calamaris_t)
+corenet_udp_bind_all_nodes(calamaris_t)
+
+dev_read_urand(calamaris_t)
+
+files_search_pids(calamaris_t)
+files_read_etc_files(calamaris_t)
+files_read_usr_files(calamaris_t)
+files_read_var_files(calamaris_t)
+files_read_etc_runtime_files(calamaris_t)
+
+libs_read_lib_files(calamaris_t)
+libs_use_ld_so(calamaris_t)
+libs_use_shared_libs(calamaris_t)
+
+logging_send_syslog_msg(calamaris_t)
+
+miscfiles_read_localization(calamaris_t)
+
+sysnet_read_config(calamaris_t)
+
+userdom_dontaudit_list_sysadm_home_dirs(calamaris_t)
+
+squid_read_log(calamaris_t)
+
+optional_policy(`apache', `
+	apache_search_sys_content(calamaris_t)
+')
+
+optional_policy(`bind', `
+	bind_udp_chat_named(calamaris_t)
+')
+
+optional_policy(`cron', `
+	cron_system_entry(calamaris_t,calamaris_exec_t)
+')
+
+optional_policy(`mta',`
+	mta_send_mail(calamaris_t)
+')
+
+optional_policy(`nis',`
+	nis_use_ypbind(calamaris_t)
+')
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 6ba4d3e..cbd528e 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -785,7 +785,25 @@ interface(`apache_append_squirrelmail_data',`
 
 ########################################
 ## <summary>
-##	Read apache system content
+##	Search apache system content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_search_sys_content',`
+	gen_require(`
+		type httpd_sys_content_t;
+	')
+
+	allow $1 httpd_sys_content_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read apache system content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 63ebb52..5d1f593 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache,1.3.2)
+policy_module(apache,1.3.3)
 
 #
 # NOTES: 
@@ -396,6 +396,10 @@ tunable_policy(`httpd_tty_comm',`
 	userdom_dontaudit_use_sysadm_terms(httpd_t)
 ')
 
+optional_policy(`calamaris',`
+	calamaris_read_www_files(httpd_t)
+')
+
 optional_policy(`daemontools',`
 	daemontools_service_domain(httpd_t, httpd_exec_t)
 ')
diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if
index 7de201b..b551711 100644
--- a/refpolicy/policy/modules/services/bind.if
+++ b/refpolicy/policy/modules/services/bind.if
@@ -254,3 +254,21 @@ interface(`bind_read_zone',`
 	allow $1 named_zone_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Send and receive datagrams to and from named.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_udp_chat_named',`
+	gen_require(`
+		type named_t;
+	')
+	allow $1 named_t:udp_socket sendto;
+	allow named_t $1:udp_socket recvfrom;
+')
+
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index bd78248..c660545 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
 
-policy_module(bind,1.1.0)
+policy_module(bind,1.1.1)
 
 ########################################
 #