Reorg, added search to cert_t:dir
This commit is contained in:
parent
8fffd0bd7c
commit
231135a574
1 changed files with 50 additions and 22 deletions
72
mlogc.te
72
mlogc.te
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(mlogc,1.0.44)
|
policy_module(mlogc,1.0.46)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
@ -31,7 +31,6 @@ require {
|
||||||
type tmp_t;
|
type tmp_t;
|
||||||
type passwd_file_t;
|
type passwd_file_t;
|
||||||
type http_port_t;
|
type http_port_t;
|
||||||
#type init_t;
|
|
||||||
class process { siginh signal noatsecure rlimitinh };
|
class process { siginh signal noatsecure rlimitinh };
|
||||||
class unix_stream_socket { read write };
|
class unix_stream_socket { read write };
|
||||||
class chr_file { read getattr open };
|
class chr_file { read getattr open };
|
||||||
|
|
@ -56,26 +55,25 @@ require {
|
||||||
# mlogc local policy
|
# mlogc local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow httpd_t mlogc_exec_t:file { read open execute };
|
|
||||||
|
|
||||||
allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
|
#allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
|
||||||
rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
#rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
#create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
#append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
##append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
#read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
##read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
#read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
##read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
|
#
|
||||||
create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
#create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
#rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
#rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
#delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
logging_log_filetrans(mlogc_t, mlogc_log_t, file)
|
#logging_log_filetrans(mlogc_t, mlogc_log_t, file)
|
||||||
|
#
|
||||||
append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
|
#append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
|
||||||
|
#
|
||||||
|
#
|
||||||
allow mlogc_t mlogc_tmp_t:file manage_file_perms;
|
#allow mlogc_t mlogc_tmp_t:file manage_file_perms;
|
||||||
files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
|
#files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -98,25 +96,55 @@ files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
|
||||||
##allow mlogc_t cert_t:file read;
|
##allow mlogc_t cert_t:file read;
|
||||||
|
|
||||||
#============= httpd_t ==============
|
#============= httpd_t ==============
|
||||||
|
|
||||||
|
allow httpd_t mlogc_exec_t:file { read open execute };
|
||||||
allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
|
allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
|
||||||
allow httpd_t mlogc_log_t:dir { write create add_name };
|
allow httpd_t mlogc_log_t:dir { write create add_name };
|
||||||
allow httpd_t mlogc_log_t:file { write create open };
|
allow httpd_t mlogc_log_t:file { write create open };
|
||||||
|
|
||||||
#============= mlogc_t ==============
|
#============= mlogc_t ==============
|
||||||
|
|
||||||
|
# init
|
||||||
allow mlogc_t self:capability dac_override;
|
allow mlogc_t self:capability dac_override;
|
||||||
|
|
||||||
|
# log files
|
||||||
|
allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
|
||||||
|
rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
|
create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
|
|
||||||
|
create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
|
rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
|
rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
|
delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||||
|
logging_log_filetrans(mlogc_t, mlogc_log_t, file)
|
||||||
|
|
||||||
|
append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
|
||||||
|
|
||||||
|
# tmp files
|
||||||
|
allow mlogc_t mlogc_tmp_t:file manage_file_perms;
|
||||||
|
files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
|
||||||
|
|
||||||
|
# tcp_socket
|
||||||
allow mlogc_t http_port_t:tcp_socket name_connect;
|
allow mlogc_t http_port_t:tcp_socket name_connect;
|
||||||
allow mlogc_t self:tcp_socket { write read };
|
allow mlogc_t self:tcp_socket { write read };
|
||||||
allow mlogc_t self:tcp_socket { connect getopt getattr create setopt };
|
allow mlogc_t self:tcp_socket { connect getopt getattr create setopt };
|
||||||
|
|
||||||
allow mlogc_t cert_t:dir getattr;
|
# nss cert files
|
||||||
|
allow mlogc_t cert_t:dir { getattr search };
|
||||||
allow mlogc_t cert_t:file { read getattr open lock };
|
allow mlogc_t cert_t:file { read getattr open lock };
|
||||||
|
|
||||||
|
dontaudit mlogc_t cert_t:dir write;
|
||||||
|
dontaudit mlogc_t cert_t:file write;
|
||||||
|
allow mlogc_t cert_t:file read;
|
||||||
|
|
||||||
|
# urandom
|
||||||
allow mlogc_t urandom_device_t:chr_file { read getattr open };
|
allow mlogc_t urandom_device_t:chr_file { read getattr open };
|
||||||
|
|
||||||
|
# passwd
|
||||||
allow mlogc_t passwd_file_t:file { getattr read open };
|
allow mlogc_t passwd_file_t:file { getattr read open };
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#allow mlogc_t http_port_t:tcp_socket { create connect name_connect getopt getattr setopt };
|
#allow mlogc_t http_port_t:tcp_socket { create connect name_connect getopt getattr setopt };
|
||||||
|
|
||||||
#allow mlogc_t cert_t:dir { write getattr };
|
#allow mlogc_t cert_t:dir { write getattr };
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue