From 773240e8dbfdc9d624fb37e0feb411b1a2022525 Mon Sep 17 00:00:00 2001
From: Eric Renfro <psi-jack@linux-help.org>
Date: Mon, 9 Nov 2015 16:01:57 -0500
Subject: [PATCH] Made adjustments per grift's suggestions

---
 mlogc.te | 105 +++++++++++++------------------------------------------
 1 file changed, 24 insertions(+), 81 deletions(-)

diff --git a/mlogc.te b/mlogc.te
index 4c18067..b21d8ae 100644
--- a/mlogc.te
+++ b/mlogc.te
@@ -1,5 +1,5 @@
 
-policy_module(mlogc,1.0.46)
+policy_module(mlogc,1.0.49)
 
 ########################################
 #
@@ -8,16 +8,17 @@ policy_module(mlogc,1.0.46)
 
 type mlogc_t;
 type mlogc_exec_t;
-mlogc_domtrans(httpd_t)
-#role system_r types mlogc_t;
-#domain_type(mlogc_t)
-#domain_entry_file(mlogc_t, mlogc_exec_t)
+role system_r types mlogc_t;
+domain_type(mlogc_t)
+domain_entry_file(mlogc_t, mlogc_exec_t)
+
+optional_policy(`
+	mlogc_domtrans(httpd_t)
+')
 
 type mlogc_log_t;
 logging_log_file(mlogc_log_t)
 
-#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
-
 type mlogc_tmp_t;
 files_tmp_file(mlogc_tmp_t)
 
@@ -40,65 +41,17 @@ require {
         class dir { write getattr read remove_name create add_name };
 }
 
-#type_transition httpd_t mlogc_log_t:file mlogc_log_t;
-#type_transition httpd_log_t mlogc_log_t:file mlogc_log_t;
-#type_change httpd_log_t mlogc_log_t:file mlogc_log_t;
-
-#domtrans_pattern(httpd_t, mlogc_exec_t, mlogc_t)
-#type_transition mlogc_t mlogc_log_t:file mlogc_log_t;
-
-#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
-#domtrans_pattern(mlogc_t, mlogc_exec_t, mlogc_log_t)
 
 ########################################
 #
 # mlogc local policy
 #
 
-
-#allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
-#rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
-#create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
-##append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
-##read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
-##read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
-#
-#create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
-#rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
-#rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
-#delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
-#logging_log_filetrans(mlogc_t, mlogc_log_t, file)
-#
-#append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
-#
-#
-#allow mlogc_t mlogc_tmp_t:file manage_file_perms;
-#files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
-
-
-
-##allow httpd_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
-##allow httpd_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
-#allow httpd_t mlogc_log_t:dir { add_name remove_name create write };
-#allow httpd_t mlogc_log_t:file { create open rename read write unlink };
-#allow httpd_t mlogc_exec_t:file { read open execute };
-##allow httpd_log_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
-##allow httpd_log_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
-##allow httpd_log_t mlogc_exec_t:file { read open };
-
-
-#allow mlogc_t mlogc_log_t:dir { read getattr create write };
-#allow mlogc_t mlogc_log_t:file { write rename unlink open };
-
-##allow mlogc_t httpd_log_t:file { read_file_perms };
- 
-#dontaudit httpd_t cert_t:file write;
-##allow mlogc_t cert_t:file read;
-
 #============= httpd_t ==============
 
-allow httpd_t mlogc_exec_t:file { read open execute };
-allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
+#allow httpd_t mlogc_exec_t:file { read open execute };
+#allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
+allow httpd_t mlogc_t:process { signal };
 allow httpd_t mlogc_log_t:dir { write create add_name };
 allow httpd_t mlogc_log_t:file { write create open };
 
@@ -125,36 +78,26 @@ allow mlogc_t mlogc_tmp_t:file manage_file_perms;
 files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
 
 # tcp_socket
-allow mlogc_t http_port_t:tcp_socket name_connect;
-allow mlogc_t self:tcp_socket { write read };
-allow mlogc_t self:tcp_socket { connect getopt getattr create setopt };
+corenet_tcp_connect_http_port(mlogc_t)
+#allow mlogc_t http_port_t:tcp_socket name_connect;
+allow mlogc_t self:tcp_socket create_socket_perms;
+#allow mlogc_t self:tcp_socket { write read };
+#allow mlogc_t self:tcp_socket { connect getopt getattr create setopt };
 
 # nss cert files
-allow mlogc_t cert_t:dir { getattr search };
-allow mlogc_t cert_t:file { read getattr open lock };
+miscfiles_read_generic_certs(mlogc_t)
+#allow mlogc_t cert_t:dir { getattr search };
+#allow mlogc_t cert_t:file { read getattr open lock };
 
 dontaudit mlogc_t cert_t:dir write;
 dontaudit mlogc_t cert_t:file write;
 allow mlogc_t cert_t:file read;
 
 # urandom
-allow mlogc_t urandom_device_t:chr_file { read getattr open };
-
-# passwd
-allow mlogc_t passwd_file_t:file { getattr read open };
-
-
-
-#allow mlogc_t http_port_t:tcp_socket { create connect name_connect getopt getattr setopt };
-
-#allow mlogc_t cert_t:dir { write getattr };
-#allow mlogc_t cert_t:file { read write getattr open lock };
-
-#allow mlogc_t httpd_log_t:file append;
-#allow mlogc_t init_t:unix_stream_socket { read write };
-#allow mlogc_t mlogc_log_t:file { read getattr append };
-#allow mlogc_t self:capability dac_override;
-#allow mlogc_t self:tcp_socket { write getattr setopt read getopt create connect };
-
+dev_read_urand(mlogc_t)
 #allow mlogc_t urandom_device_t:chr_file { read getattr open };
 
+# passwd
+auth_read_passwd(mlogc_t)
+#allow mlogc_t passwd_file_t:file { getattr read open };
+