Reorg, added search to cert_t:dir

This commit is contained in:
Eric Renfro 2015-11-09 11:39:24 -05:00
parent 8fffd0bd7c
commit 231135a574

View file

@ -1,5 +1,5 @@
policy_module(mlogc,1.0.44)
policy_module(mlogc,1.0.46)
########################################
#
@ -31,7 +31,6 @@ require {
type tmp_t;
type passwd_file_t;
type http_port_t;
#type init_t;
class process { siginh signal noatsecure rlimitinh };
class unix_stream_socket { read write };
class chr_file { read getattr open };
@ -56,26 +55,25 @@ require {
# mlogc local policy
#
allow httpd_t mlogc_exec_t:file { read open execute };
allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
logging_log_filetrans(mlogc_t, mlogc_log_t, file)
append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
allow mlogc_t mlogc_tmp_t:file manage_file_perms;
files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
#allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
#rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
##append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
##read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
##read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#
#create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#logging_log_filetrans(mlogc_t, mlogc_log_t, file)
#
#append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
#
#
#allow mlogc_t mlogc_tmp_t:file manage_file_perms;
#files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
@ -98,25 +96,55 @@ files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
##allow mlogc_t cert_t:file read;
#============= httpd_t ==============
allow httpd_t mlogc_exec_t:file { read open execute };
allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
allow httpd_t mlogc_log_t:dir { write create add_name };
allow httpd_t mlogc_log_t:file { write create open };
#============= mlogc_t ==============
# init
allow mlogc_t self:capability dac_override;
# log files
allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
logging_log_filetrans(mlogc_t, mlogc_log_t, file)
append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
# tmp files
allow mlogc_t mlogc_tmp_t:file manage_file_perms;
files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
# tcp_socket
allow mlogc_t http_port_t:tcp_socket name_connect;
allow mlogc_t self:tcp_socket { write read };
allow mlogc_t self:tcp_socket { connect getopt getattr create setopt };
allow mlogc_t cert_t:dir getattr;
# nss cert files
allow mlogc_t cert_t:dir { getattr search };
allow mlogc_t cert_t:file { read getattr open lock };
dontaudit mlogc_t cert_t:dir write;
dontaudit mlogc_t cert_t:file write;
allow mlogc_t cert_t:file read;
# urandom
allow mlogc_t urandom_device_t:chr_file { read getattr open };
# passwd
allow mlogc_t passwd_file_t:file { getattr read open };
#allow mlogc_t http_port_t:tcp_socket { create connect name_connect getopt getattr setopt };
#allow mlogc_t cert_t:dir { write getattr };