From 3d702bf682c989e8b7f286bc7fbc0092f69835cd Mon Sep 17 00:00:00 2001
From: Eric Renfro
Date: Mon, 9 Nov 2015 02:24:42 -0500
Subject: [PATCH] Initial commit at 1.0.39
---
mlogc.fc | 9 +++++
mlogc.if | 81 +++++++++++++++++++++++++++++++++++++
mlogc.te | 119 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 209 insertions(+)
create mode 100644 mlogc.fc
create mode 100644 mlogc.if
create mode 100644 mlogc.te
diff --git a/mlogc.fc b/mlogc.fc
new file mode 100644
index 0000000..7709e73
--- /dev/null
+++ b/mlogc.fc
@@ -0,0 +1,9 @@
+# mlogc executable will have:
+# label: system_u:object_r:mlogc_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+/usr/bin/mlogc -- gen_context(system_u:object_r:mlogc_exec_t,s0)
+/var/log/mlogc(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)
+/var/log/mlogc/data(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)
+
diff --git a/mlogc.if b/mlogc.if
new file mode 100644
index 0000000..da0cff4
--- /dev/null
+++ b/mlogc.if
@@ -0,0 +1,81 @@
+## mlogc policy
+##
+##
+## More descriptive text about mlogc. The desc
+## tag can also use p, ul, and ol
+## html tags for formatting.
+##
+##
+## This policy supports the following mlogc features:
+##
+## - Feature A
+## - Feature B
+## - Feature C
+##
+##
+##
+#
+
+########################################
+##
+## Execute a domain transition to run mlogc.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mlogc_domtrans',`
+ gen_require(`
+ type mlogc_t, mlogc_exec_t;
+ type httpd_t, httpd_exec_t;
+ role system_r;
+ ')
+
+ domain_type(mlogc_t)
+ domain_entry_file(mlogc_t, mlogc_exec_t)
+
+ role system_r types mlogc_t;
+
+ domtrans_pattern($1, mlogc_exec_t, mlogc_t)
+ #domtrans_pattern($1,mlogc_exec_t,mlogc_t)
+')
+
+########################################
+##
+## Read mlogc log files.
+##
+##
+##
+## Domain allowed to read the log files.
+##
+##
+#
+interface(`mlogc_read_log',`
+ gen_require(`
+ type mlogc_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 mlogc_log_t:file read_file_perms;
+')
+
+########################################
+##
+## Write mlogc log files.
+##
+##
+##
+## Domain allowed to write the log files.
+##
+##
+#
+interface(`mlogc_write_log',`
+ gen_require(`
+ type mlogc_log_t;
+ ')
+
+ allow $1 mlogc_log_t:file write;
+')
+
diff --git a/mlogc.te b/mlogc.te
new file mode 100644
index 0000000..4efc3c9
--- /dev/null
+++ b/mlogc.te
@@ -0,0 +1,119 @@
+
+policy_module(mlogc,1.0.39)
+
+########################################
+#
+# Declarations
+#
+
+type mlogc_t;
+type mlogc_exec_t;
+mlogc_domtrans(httpd_t)
+#role system_r types mlogc_t;
+#domain_type(mlogc_t)
+#domain_entry_file(mlogc_t, mlogc_exec_t)
+
+type mlogc_log_t;
+logging_log_file(mlogc_log_t)
+
+#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
+
+type mlogc_tmp_t;
+files_tmp_file(mlogc_tmp_t)
+
+require {
+ #type cert_t;
+ type mlogc_log_t;
+ #type urandom_device_t;
+ type mlogc_t;
+ type httpd_t;
+ type httpd_log_t;
+ type tmp_t;
+ type passwd_file_t;
+ type http_port_t;
+ #type init_t;
+ class process { siginh signal noatsecure rlimitinh };
+ class unix_stream_socket { read write };
+ class chr_file { read getattr open };
+ class capability dac_override;
+ class tcp_socket { write getattr setopt read getopt create name_connect connect };
+ class file { rename read lock create write getattr unlink open append };
+ class dir { write getattr read remove_name create add_name };
+}
+
+#type_transition httpd_t mlogc_log_t:file mlogc_log_t;
+#type_transition httpd_log_t mlogc_log_t:file mlogc_log_t;
+#type_change httpd_log_t mlogc_log_t:file mlogc_log_t;
+
+#domtrans_pattern(httpd_t, mlogc_exec_t, mlogc_t)
+#type_transition mlogc_t mlogc_log_t:file mlogc_log_t;
+
+#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
+#domtrans_pattern(mlogc_t, mlogc_exec_t, mlogc_log_t)
+
+########################################
+#
+# mlogc local policy
+#
+
+allow httpd_t mlogc_exec_t:file { read open execute };
+
+allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
+rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+#append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+#read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+#read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+
+create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+logging_log_filetrans(mlogc_t, mlogc_log_t, file)
+
+append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
+
+
+allow mlogc_t mlogc_tmp_t:file manage_file_perms;
+files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
+
+
+
+##allow httpd_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
+##allow httpd_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
+#allow httpd_t mlogc_log_t:dir { add_name remove_name create write };
+#allow httpd_t mlogc_log_t:file { create open rename read write unlink };
+#allow httpd_t mlogc_exec_t:file { read open execute };
+##allow httpd_log_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
+##allow httpd_log_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
+##allow httpd_log_t mlogc_exec_t:file { read open };
+
+
+#allow mlogc_t mlogc_log_t:dir { read getattr create write };
+#allow mlogc_t mlogc_log_t:file { write rename unlink open };
+
+##allow mlogc_t httpd_log_t:file { read_file_perms };
+
+#dontaudit httpd_t cert_t:file write;
+##allow mlogc_t cert_t:file read;
+
+#============= httpd_t ==============
+allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
+allow httpd_t mlogc_log_t:dir { write create add_name };
+allow httpd_t mlogc_log_t:file { write create open };
+
+#============= mlogc_t ==============
+
+
+#allow mlogc_t cert_t:dir { write getattr };
+#allow mlogc_t cert_t:file { read write getattr open lock };
+#allow mlogc_t http_port_t:tcp_socket name_connect;
+
+#allow mlogc_t httpd_log_t:file append;
+#allow mlogc_t init_t:unix_stream_socket { read write };
+#allow mlogc_t mlogc_log_t:file { read getattr append };
+#allow mlogc_t self:capability dac_override;
+#allow mlogc_t self:tcp_socket { write getattr setopt read getopt create connect };
+
+#allow mlogc_t urandom_device_t:chr_file { read getattr open };
+