From 3d702bf682c989e8b7f286bc7fbc0092f69835cd Mon Sep 17 00:00:00 2001
From: Eric Renfro <psi-jack@linux-help.org>
Date: Mon, 9 Nov 2015 02:24:42 -0500
Subject: [PATCH] Initial commit at 1.0.39

---
 mlogc.fc |   9 +++++
 mlogc.if |  81 +++++++++++++++++++++++++++++++++++++
 mlogc.te | 119 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 209 insertions(+)
 create mode 100644 mlogc.fc
 create mode 100644 mlogc.if
 create mode 100644 mlogc.te

diff --git a/mlogc.fc b/mlogc.fc
new file mode 100644
index 0000000..7709e73
--- /dev/null
+++ b/mlogc.fc
@@ -0,0 +1,9 @@
+# mlogc executable will have:
+# label: system_u:object_r:mlogc_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/bin/mlogc			--	gen_context(system_u:object_r:mlogc_exec_t,s0)
+/var/log/mlogc(/.*)?			gen_context(system_u:object_r:mlogc_log_t,s0)
+/var/log/mlogc/data(/.*)?		gen_context(system_u:object_r:mlogc_log_t,s0)
+
diff --git a/mlogc.if b/mlogc.if
new file mode 100644
index 0000000..da0cff4
--- /dev/null
+++ b/mlogc.if
@@ -0,0 +1,81 @@
+## <summary>mlogc policy</summary>
+## <desc>
+##	<p>
+##		More descriptive text about mlogc.  The desc
+##		tag can also use p, ul, and ol
+##		html tags for formatting.
+##	</p>
+##	<p>
+##		This policy supports the following mlogc features:
+##		<ul>
+##		<li>Feature A</li>
+##		<li>Feature B</li>
+##		<li>Feature C</li>
+##		</ul>
+##	</p>
+## </desc>
+#
+
+########################################
+## <summary>
+##	Execute a domain transition to run mlogc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mlogc_domtrans',`
+	gen_require(`
+		type mlogc_t, mlogc_exec_t;
+		type httpd_t, httpd_exec_t;
+		role system_r;
+	')
+
+	domain_type(mlogc_t)
+	domain_entry_file(mlogc_t, mlogc_exec_t)
+
+	role system_r types mlogc_t;
+
+	domtrans_pattern($1, mlogc_exec_t, mlogc_t)
+	#domtrans_pattern($1,mlogc_exec_t,mlogc_t)
+')
+
+########################################
+## <summary>
+##	Read mlogc log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to read the log files.
+##	</summary>
+## </param>
+#
+interface(`mlogc_read_log',`
+	gen_require(`
+		type mlogc_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 mlogc_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Write mlogc log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to write the log files.
+##	</summary>
+## </param>
+#
+interface(`mlogc_write_log',`
+	gen_require(`
+		type mlogc_log_t;
+	')
+
+	allow $1 mlogc_log_t:file write;
+')
+
diff --git a/mlogc.te b/mlogc.te
new file mode 100644
index 0000000..4efc3c9
--- /dev/null
+++ b/mlogc.te
@@ -0,0 +1,119 @@
+
+policy_module(mlogc,1.0.39)
+
+########################################
+#
+# Declarations
+#
+
+type mlogc_t;
+type mlogc_exec_t;
+mlogc_domtrans(httpd_t)
+#role system_r types mlogc_t;
+#domain_type(mlogc_t)
+#domain_entry_file(mlogc_t, mlogc_exec_t)
+
+type mlogc_log_t;
+logging_log_file(mlogc_log_t)
+
+#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
+
+type mlogc_tmp_t;
+files_tmp_file(mlogc_tmp_t)
+
+require {
+	#type cert_t;
+	type mlogc_log_t;
+	#type urandom_device_t;
+	type mlogc_t;
+	type httpd_t;
+	type httpd_log_t;
+	type tmp_t;
+        type passwd_file_t;
+        type http_port_t;
+        #type init_t;
+        class process { siginh signal noatsecure rlimitinh };
+        class unix_stream_socket { read write };
+        class chr_file { read getattr open };
+        class capability dac_override;
+        class tcp_socket { write getattr setopt read getopt create name_connect connect };
+        class file { rename read lock create write getattr unlink open append };
+        class dir { write getattr read remove_name create add_name };
+}
+
+#type_transition httpd_t mlogc_log_t:file mlogc_log_t;
+#type_transition httpd_log_t mlogc_log_t:file mlogc_log_t;
+#type_change httpd_log_t mlogc_log_t:file mlogc_log_t;
+
+#domtrans_pattern(httpd_t, mlogc_exec_t, mlogc_t)
+#type_transition mlogc_t mlogc_log_t:file mlogc_log_t;
+
+#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
+#domtrans_pattern(mlogc_t, mlogc_exec_t, mlogc_log_t)
+
+########################################
+#
+# mlogc local policy
+#
+
+allow httpd_t mlogc_exec_t:file { read open execute };
+
+allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
+rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+#append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+#read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+#read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+
+create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
+logging_log_filetrans(mlogc_t, mlogc_log_t, file)
+
+append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
+
+
+allow mlogc_t mlogc_tmp_t:file manage_file_perms;
+files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
+
+
+
+##allow httpd_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
+##allow httpd_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
+#allow httpd_t mlogc_log_t:dir { add_name remove_name create write };
+#allow httpd_t mlogc_log_t:file { create open rename read write unlink };
+#allow httpd_t mlogc_exec_t:file { read open execute };
+##allow httpd_log_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
+##allow httpd_log_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
+##allow httpd_log_t mlogc_exec_t:file { read open };
+
+
+#allow mlogc_t mlogc_log_t:dir { read getattr create write };
+#allow mlogc_t mlogc_log_t:file { write rename unlink open };
+
+##allow mlogc_t httpd_log_t:file { read_file_perms };
+ 
+#dontaudit httpd_t cert_t:file write;
+##allow mlogc_t cert_t:file read;
+
+#============= httpd_t ==============
+allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
+allow httpd_t mlogc_log_t:dir { write create add_name };
+allow httpd_t mlogc_log_t:file { write create open };
+
+#============= mlogc_t ==============
+
+
+#allow mlogc_t cert_t:dir { write getattr };
+#allow mlogc_t cert_t:file { read write getattr open lock };
+#allow mlogc_t http_port_t:tcp_socket name_connect;
+
+#allow mlogc_t httpd_log_t:file append;
+#allow mlogc_t init_t:unix_stream_socket { read write };
+#allow mlogc_t mlogc_log_t:file { read getattr append };
+#allow mlogc_t self:capability dac_override;
+#allow mlogc_t self:tcp_socket { write getattr setopt read getopt create connect };
+
+#allow mlogc_t urandom_device_t:chr_file { read getattr open };
+