2015-11-09 02:24:42 -05:00
|
|
|
|
2015-11-09 03:01:09 -05:00
|
|
|
policy_module(mlogc,1.0.44)
|
2015-11-09 02:24:42 -05:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
|
|
|
|
|
|
|
type mlogc_t;
|
|
|
|
type mlogc_exec_t;
|
|
|
|
mlogc_domtrans(httpd_t)
|
|
|
|
#role system_r types mlogc_t;
|
|
|
|
#domain_type(mlogc_t)
|
|
|
|
#domain_entry_file(mlogc_t, mlogc_exec_t)
|
|
|
|
|
|
|
|
type mlogc_log_t;
|
|
|
|
logging_log_file(mlogc_log_t)
|
|
|
|
|
|
|
|
#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
|
|
|
|
|
|
|
|
type mlogc_tmp_t;
|
|
|
|
files_tmp_file(mlogc_tmp_t)
|
|
|
|
|
|
|
|
require {
|
2015-11-09 02:57:27 -05:00
|
|
|
type cert_t;
|
2015-11-09 02:24:42 -05:00
|
|
|
type mlogc_log_t;
|
2015-11-09 03:01:09 -05:00
|
|
|
type urandom_device_t;
|
2015-11-09 02:24:42 -05:00
|
|
|
type mlogc_t;
|
|
|
|
type httpd_t;
|
|
|
|
type httpd_log_t;
|
|
|
|
type tmp_t;
|
|
|
|
type passwd_file_t;
|
|
|
|
type http_port_t;
|
|
|
|
#type init_t;
|
|
|
|
class process { siginh signal noatsecure rlimitinh };
|
|
|
|
class unix_stream_socket { read write };
|
|
|
|
class chr_file { read getattr open };
|
|
|
|
class capability dac_override;
|
|
|
|
class tcp_socket { write getattr setopt read getopt create name_connect connect };
|
|
|
|
class file { rename read lock create write getattr unlink open append };
|
|
|
|
class dir { write getattr read remove_name create add_name };
|
|
|
|
}
|
|
|
|
|
|
|
|
#type_transition httpd_t mlogc_log_t:file mlogc_log_t;
|
|
|
|
#type_transition httpd_log_t mlogc_log_t:file mlogc_log_t;
|
|
|
|
#type_change httpd_log_t mlogc_log_t:file mlogc_log_t;
|
|
|
|
|
|
|
|
#domtrans_pattern(httpd_t, mlogc_exec_t, mlogc_t)
|
|
|
|
#type_transition mlogc_t mlogc_log_t:file mlogc_log_t;
|
|
|
|
|
|
|
|
#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
|
|
|
|
#domtrans_pattern(mlogc_t, mlogc_exec_t, mlogc_log_t)
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# mlogc local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow httpd_t mlogc_exec_t:file { read open execute };
|
|
|
|
|
|
|
|
allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
|
|
|
|
rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
|
|
create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
|
|
#append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
|
|
#read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
|
|
#read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
|
|
|
|
|
|
create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
|
|
rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
|
|
rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
|
|
delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
|
|
logging_log_filetrans(mlogc_t, mlogc_log_t, file)
|
|
|
|
|
|
|
|
append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
|
|
|
|
|
|
|
|
|
|
|
|
allow mlogc_t mlogc_tmp_t:file manage_file_perms;
|
|
|
|
files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##allow httpd_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
|
|
|
|
##allow httpd_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
|
|
|
|
#allow httpd_t mlogc_log_t:dir { add_name remove_name create write };
|
|
|
|
#allow httpd_t mlogc_log_t:file { create open rename read write unlink };
|
|
|
|
#allow httpd_t mlogc_exec_t:file { read open execute };
|
|
|
|
##allow httpd_log_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
|
|
|
|
##allow httpd_log_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
|
|
|
|
##allow httpd_log_t mlogc_exec_t:file { read open };
|
|
|
|
|
|
|
|
|
|
|
|
#allow mlogc_t mlogc_log_t:dir { read getattr create write };
|
|
|
|
#allow mlogc_t mlogc_log_t:file { write rename unlink open };
|
|
|
|
|
|
|
|
##allow mlogc_t httpd_log_t:file { read_file_perms };
|
|
|
|
|
|
|
|
#dontaudit httpd_t cert_t:file write;
|
|
|
|
##allow mlogc_t cert_t:file read;
|
|
|
|
|
|
|
|
#============= httpd_t ==============
|
|
|
|
allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
|
|
|
|
allow httpd_t mlogc_log_t:dir { write create add_name };
|
|
|
|
allow httpd_t mlogc_log_t:file { write create open };
|
|
|
|
|
|
|
|
#============= mlogc_t ==============
|
|
|
|
|
2015-11-09 02:51:59 -05:00
|
|
|
allow mlogc_t self:capability dac_override;
|
|
|
|
|
2015-11-09 02:50:17 -05:00
|
|
|
allow mlogc_t http_port_t:tcp_socket name_connect;
|
|
|
|
allow mlogc_t self:tcp_socket { write read };
|
|
|
|
allow mlogc_t self:tcp_socket { connect getopt getattr create setopt };
|
|
|
|
|
2015-11-09 02:57:27 -05:00
|
|
|
allow mlogc_t cert_t:dir getattr;
|
|
|
|
allow mlogc_t cert_t:file { read getattr open lock };
|
|
|
|
|
|
|
|
allow mlogc_t urandom_device_t:chr_file { read getattr open };
|
|
|
|
|
2015-11-09 03:01:09 -05:00
|
|
|
allow mlogc_t passwd_file_t:file { getattr read open };
|
|
|
|
|
2015-11-09 02:50:17 -05:00
|
|
|
#allow mlogc_t http_port_t:tcp_socket { create connect name_connect getopt getattr setopt };
|
2015-11-09 02:24:42 -05:00
|
|
|
|
|
|
|
#allow mlogc_t cert_t:dir { write getattr };
|
|
|
|
#allow mlogc_t cert_t:file { read write getattr open lock };
|
|
|
|
|
|
|
|
#allow mlogc_t httpd_log_t:file append;
|
|
|
|
#allow mlogc_t init_t:unix_stream_socket { read write };
|
|
|
|
#allow mlogc_t mlogc_log_t:file { read getattr append };
|
|
|
|
#allow mlogc_t self:capability dac_override;
|
|
|
|
#allow mlogc_t self:tcp_socket { write getattr setopt read getopt create connect };
|
|
|
|
|
|
|
|
#allow mlogc_t urandom_device_t:chr_file { read getattr open };
|
|
|
|
|