Initial commit at 1.0.39

This commit is contained in:
Eric Renfro 2015-11-09 02:24:42 -05:00
commit 3d702bf682
3 changed files with 209 additions and 0 deletions

9
mlogc.fc Normal file
View file

@ -0,0 +1,9 @@
# mlogc executable will have:
# label: system_u:object_r:mlogc_exec_t
# MLS sensitivity: s0
# MCS categories: <none>
/usr/bin/mlogc -- gen_context(system_u:object_r:mlogc_exec_t,s0)
/var/log/mlogc(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)
/var/log/mlogc/data(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)

81
mlogc.if Normal file
View file

@ -0,0 +1,81 @@
## <summary>mlogc policy</summary>
## <desc>
## <p>
## More descriptive text about mlogc. The desc
## tag can also use p, ul, and ol
## html tags for formatting.
## </p>
## <p>
## This policy supports the following mlogc features:
## <ul>
## <li>Feature A</li>
## <li>Feature B</li>
## <li>Feature C</li>
## </ul>
## </p>
## </desc>
#
########################################
## <summary>
## Execute a domain transition to run mlogc.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`mlogc_domtrans',`
gen_require(`
type mlogc_t, mlogc_exec_t;
type httpd_t, httpd_exec_t;
role system_r;
')
domain_type(mlogc_t)
domain_entry_file(mlogc_t, mlogc_exec_t)
role system_r types mlogc_t;
domtrans_pattern($1, mlogc_exec_t, mlogc_t)
#domtrans_pattern($1,mlogc_exec_t,mlogc_t)
')
########################################
## <summary>
## Read mlogc log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to read the log files.
## </summary>
## </param>
#
interface(`mlogc_read_log',`
gen_require(`
type mlogc_log_t;
')
logging_search_logs($1)
allow $1 mlogc_log_t:file read_file_perms;
')
########################################
## <summary>
## Write mlogc log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to write the log files.
## </summary>
## </param>
#
interface(`mlogc_write_log',`
gen_require(`
type mlogc_log_t;
')
allow $1 mlogc_log_t:file write;
')

119
mlogc.te Normal file
View file

@ -0,0 +1,119 @@
policy_module(mlogc,1.0.39)
########################################
#
# Declarations
#
type mlogc_t;
type mlogc_exec_t;
mlogc_domtrans(httpd_t)
#role system_r types mlogc_t;
#domain_type(mlogc_t)
#domain_entry_file(mlogc_t, mlogc_exec_t)
type mlogc_log_t;
logging_log_file(mlogc_log_t)
#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
type mlogc_tmp_t;
files_tmp_file(mlogc_tmp_t)
require {
#type cert_t;
type mlogc_log_t;
#type urandom_device_t;
type mlogc_t;
type httpd_t;
type httpd_log_t;
type tmp_t;
type passwd_file_t;
type http_port_t;
#type init_t;
class process { siginh signal noatsecure rlimitinh };
class unix_stream_socket { read write };
class chr_file { read getattr open };
class capability dac_override;
class tcp_socket { write getattr setopt read getopt create name_connect connect };
class file { rename read lock create write getattr unlink open append };
class dir { write getattr read remove_name create add_name };
}
#type_transition httpd_t mlogc_log_t:file mlogc_log_t;
#type_transition httpd_log_t mlogc_log_t:file mlogc_log_t;
#type_change httpd_log_t mlogc_log_t:file mlogc_log_t;
#domtrans_pattern(httpd_t, mlogc_exec_t, mlogc_t)
#type_transition mlogc_t mlogc_log_t:file mlogc_log_t;
#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
#domtrans_pattern(mlogc_t, mlogc_exec_t, mlogc_log_t)
########################################
#
# mlogc local policy
#
allow httpd_t mlogc_exec_t:file { read open execute };
allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
logging_log_filetrans(mlogc_t, mlogc_log_t, file)
append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
allow mlogc_t mlogc_tmp_t:file manage_file_perms;
files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
##allow httpd_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
##allow httpd_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
#allow httpd_t mlogc_log_t:dir { add_name remove_name create write };
#allow httpd_t mlogc_log_t:file { create open rename read write unlink };
#allow httpd_t mlogc_exec_t:file { read open execute };
##allow httpd_log_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
##allow httpd_log_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
##allow httpd_log_t mlogc_exec_t:file { read open };
#allow mlogc_t mlogc_log_t:dir { read getattr create write };
#allow mlogc_t mlogc_log_t:file { write rename unlink open };
##allow mlogc_t httpd_log_t:file { read_file_perms };
#dontaudit httpd_t cert_t:file write;
##allow mlogc_t cert_t:file read;
#============= httpd_t ==============
allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
allow httpd_t mlogc_log_t:dir { write create add_name };
allow httpd_t mlogc_log_t:file { write create open };
#============= mlogc_t ==============
#allow mlogc_t cert_t:dir { write getattr };
#allow mlogc_t cert_t:file { read write getattr open lock };
#allow mlogc_t http_port_t:tcp_socket name_connect;
#allow mlogc_t httpd_log_t:file append;
#allow mlogc_t init_t:unix_stream_socket { read write };
#allow mlogc_t mlogc_log_t:file { read getattr append };
#allow mlogc_t self:capability dac_override;
#allow mlogc_t self:tcp_socket { write getattr setopt read getopt create connect };
#allow mlogc_t urandom_device_t:chr_file { read getattr open };