Initial commit at 1.0.39
This commit is contained in:
commit
3d702bf682
3 changed files with 209 additions and 0 deletions
9
mlogc.fc
Normal file
9
mlogc.fc
Normal file
|
@ -0,0 +1,9 @@
|
|||
# mlogc executable will have:
|
||||
# label: system_u:object_r:mlogc_exec_t
|
||||
# MLS sensitivity: s0
|
||||
# MCS categories: <none>
|
||||
|
||||
/usr/bin/mlogc -- gen_context(system_u:object_r:mlogc_exec_t,s0)
|
||||
/var/log/mlogc(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)
|
||||
/var/log/mlogc/data(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)
|
||||
|
81
mlogc.if
Normal file
81
mlogc.if
Normal file
|
@ -0,0 +1,81 @@
|
|||
## <summary>mlogc policy</summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## More descriptive text about mlogc. The desc
|
||||
## tag can also use p, ul, and ol
|
||||
## html tags for formatting.
|
||||
## </p>
|
||||
## <p>
|
||||
## This policy supports the following mlogc features:
|
||||
## <ul>
|
||||
## <li>Feature A</li>
|
||||
## <li>Feature B</li>
|
||||
## <li>Feature C</li>
|
||||
## </ul>
|
||||
## </p>
|
||||
## </desc>
|
||||
#
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run mlogc.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mlogc_domtrans',`
|
||||
gen_require(`
|
||||
type mlogc_t, mlogc_exec_t;
|
||||
type httpd_t, httpd_exec_t;
|
||||
role system_r;
|
||||
')
|
||||
|
||||
domain_type(mlogc_t)
|
||||
domain_entry_file(mlogc_t, mlogc_exec_t)
|
||||
|
||||
role system_r types mlogc_t;
|
||||
|
||||
domtrans_pattern($1, mlogc_exec_t, mlogc_t)
|
||||
#domtrans_pattern($1,mlogc_exec_t,mlogc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read mlogc log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to read the log files.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mlogc_read_log',`
|
||||
gen_require(`
|
||||
type mlogc_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 mlogc_log_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write mlogc log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to write the log files.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mlogc_write_log',`
|
||||
gen_require(`
|
||||
type mlogc_log_t;
|
||||
')
|
||||
|
||||
allow $1 mlogc_log_t:file write;
|
||||
')
|
||||
|
119
mlogc.te
Normal file
119
mlogc.te
Normal file
|
@ -0,0 +1,119 @@
|
|||
|
||||
policy_module(mlogc,1.0.39)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type mlogc_t;
|
||||
type mlogc_exec_t;
|
||||
mlogc_domtrans(httpd_t)
|
||||
#role system_r types mlogc_t;
|
||||
#domain_type(mlogc_t)
|
||||
#domain_entry_file(mlogc_t, mlogc_exec_t)
|
||||
|
||||
type mlogc_log_t;
|
||||
logging_log_file(mlogc_log_t)
|
||||
|
||||
#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
|
||||
|
||||
type mlogc_tmp_t;
|
||||
files_tmp_file(mlogc_tmp_t)
|
||||
|
||||
require {
|
||||
#type cert_t;
|
||||
type mlogc_log_t;
|
||||
#type urandom_device_t;
|
||||
type mlogc_t;
|
||||
type httpd_t;
|
||||
type httpd_log_t;
|
||||
type tmp_t;
|
||||
type passwd_file_t;
|
||||
type http_port_t;
|
||||
#type init_t;
|
||||
class process { siginh signal noatsecure rlimitinh };
|
||||
class unix_stream_socket { read write };
|
||||
class chr_file { read getattr open };
|
||||
class capability dac_override;
|
||||
class tcp_socket { write getattr setopt read getopt create name_connect connect };
|
||||
class file { rename read lock create write getattr unlink open append };
|
||||
class dir { write getattr read remove_name create add_name };
|
||||
}
|
||||
|
||||
#type_transition httpd_t mlogc_log_t:file mlogc_log_t;
|
||||
#type_transition httpd_log_t mlogc_log_t:file mlogc_log_t;
|
||||
#type_change httpd_log_t mlogc_log_t:file mlogc_log_t;
|
||||
|
||||
#domtrans_pattern(httpd_t, mlogc_exec_t, mlogc_t)
|
||||
#type_transition mlogc_t mlogc_log_t:file mlogc_log_t;
|
||||
|
||||
#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
|
||||
#domtrans_pattern(mlogc_t, mlogc_exec_t, mlogc_log_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# mlogc local policy
|
||||
#
|
||||
|
||||
allow httpd_t mlogc_exec_t:file { read open execute };
|
||||
|
||||
allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
|
||||
rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||
create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||
#append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||
#read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||
#read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||
|
||||
create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||
rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||
rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||
delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
||||
logging_log_filetrans(mlogc_t, mlogc_log_t, file)
|
||||
|
||||
append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
|
||||
allow mlogc_t mlogc_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
|
||||
|
||||
|
||||
|
||||
##allow httpd_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
|
||||
##allow httpd_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
|
||||
#allow httpd_t mlogc_log_t:dir { add_name remove_name create write };
|
||||
#allow httpd_t mlogc_log_t:file { create open rename read write unlink };
|
||||
#allow httpd_t mlogc_exec_t:file { read open execute };
|
||||
##allow httpd_log_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
|
||||
##allow httpd_log_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
|
||||
##allow httpd_log_t mlogc_exec_t:file { read open };
|
||||
|
||||
|
||||
#allow mlogc_t mlogc_log_t:dir { read getattr create write };
|
||||
#allow mlogc_t mlogc_log_t:file { write rename unlink open };
|
||||
|
||||
##allow mlogc_t httpd_log_t:file { read_file_perms };
|
||||
|
||||
#dontaudit httpd_t cert_t:file write;
|
||||
##allow mlogc_t cert_t:file read;
|
||||
|
||||
#============= httpd_t ==============
|
||||
allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
|
||||
allow httpd_t mlogc_log_t:dir { write create add_name };
|
||||
allow httpd_t mlogc_log_t:file { write create open };
|
||||
|
||||
#============= mlogc_t ==============
|
||||
|
||||
|
||||
#allow mlogc_t cert_t:dir { write getattr };
|
||||
#allow mlogc_t cert_t:file { read write getattr open lock };
|
||||
#allow mlogc_t http_port_t:tcp_socket name_connect;
|
||||
|
||||
#allow mlogc_t httpd_log_t:file append;
|
||||
#allow mlogc_t init_t:unix_stream_socket { read write };
|
||||
#allow mlogc_t mlogc_log_t:file { read getattr append };
|
||||
#allow mlogc_t self:capability dac_override;
|
||||
#allow mlogc_t self:tcp_socket { write getattr setopt read getopt create connect };
|
||||
|
||||
#allow mlogc_t urandom_device_t:chr_file { read getattr open };
|
||||
|
Loading…
Reference in a new issue