Made adjustments per grift's suggestions

This commit is contained in:
Eric Renfro 2015-11-09 16:01:57 -05:00
parent 231135a574
commit 773240e8db

105
mlogc.te
View file

@ -1,5 +1,5 @@
policy_module(mlogc,1.0.46) policy_module(mlogc,1.0.49)
######################################## ########################################
# #
@ -8,16 +8,17 @@ policy_module(mlogc,1.0.46)
type mlogc_t; type mlogc_t;
type mlogc_exec_t; type mlogc_exec_t;
mlogc_domtrans(httpd_t) role system_r types mlogc_t;
#role system_r types mlogc_t; domain_type(mlogc_t)
#domain_type(mlogc_t) domain_entry_file(mlogc_t, mlogc_exec_t)
#domain_entry_file(mlogc_t, mlogc_exec_t)
optional_policy(`
mlogc_domtrans(httpd_t)
')
type mlogc_log_t; type mlogc_log_t;
logging_log_file(mlogc_log_t) logging_log_file(mlogc_log_t)
#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
type mlogc_tmp_t; type mlogc_tmp_t;
files_tmp_file(mlogc_tmp_t) files_tmp_file(mlogc_tmp_t)
@ -40,65 +41,17 @@ require {
class dir { write getattr read remove_name create add_name }; class dir { write getattr read remove_name create add_name };
} }
#type_transition httpd_t mlogc_log_t:file mlogc_log_t;
#type_transition httpd_log_t mlogc_log_t:file mlogc_log_t;
#type_change httpd_log_t mlogc_log_t:file mlogc_log_t;
#domtrans_pattern(httpd_t, mlogc_exec_t, mlogc_t)
#type_transition mlogc_t mlogc_log_t:file mlogc_log_t;
#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
#domtrans_pattern(mlogc_t, mlogc_exec_t, mlogc_log_t)
######################################## ########################################
# #
# mlogc local policy # mlogc local policy
# #
#allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
#rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
##append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
##read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
##read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#
#create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#logging_log_filetrans(mlogc_t, mlogc_log_t, file)
#
#append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
#
#
#allow mlogc_t mlogc_tmp_t:file manage_file_perms;
#files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
##allow httpd_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
##allow httpd_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
#allow httpd_t mlogc_log_t:dir { add_name remove_name create write };
#allow httpd_t mlogc_log_t:file { create open rename read write unlink };
#allow httpd_t mlogc_exec_t:file { read open execute };
##allow httpd_log_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
##allow httpd_log_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
##allow httpd_log_t mlogc_exec_t:file { read open };
#allow mlogc_t mlogc_log_t:dir { read getattr create write };
#allow mlogc_t mlogc_log_t:file { write rename unlink open };
##allow mlogc_t httpd_log_t:file { read_file_perms };
#dontaudit httpd_t cert_t:file write;
##allow mlogc_t cert_t:file read;
#============= httpd_t ============== #============= httpd_t ==============
allow httpd_t mlogc_exec_t:file { read open execute }; #allow httpd_t mlogc_exec_t:file { read open execute };
allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh }; #allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
allow httpd_t mlogc_t:process { signal };
allow httpd_t mlogc_log_t:dir { write create add_name }; allow httpd_t mlogc_log_t:dir { write create add_name };
allow httpd_t mlogc_log_t:file { write create open }; allow httpd_t mlogc_log_t:file { write create open };
@ -125,36 +78,26 @@ allow mlogc_t mlogc_tmp_t:file manage_file_perms;
files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file) files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
# tcp_socket # tcp_socket
allow mlogc_t http_port_t:tcp_socket name_connect; corenet_tcp_connect_http_port(mlogc_t)
allow mlogc_t self:tcp_socket { write read }; #allow mlogc_t http_port_t:tcp_socket name_connect;
allow mlogc_t self:tcp_socket { connect getopt getattr create setopt }; allow mlogc_t self:tcp_socket create_socket_perms;
#allow mlogc_t self:tcp_socket { write read };
#allow mlogc_t self:tcp_socket { connect getopt getattr create setopt };
# nss cert files # nss cert files
allow mlogc_t cert_t:dir { getattr search }; miscfiles_read_generic_certs(mlogc_t)
allow mlogc_t cert_t:file { read getattr open lock }; #allow mlogc_t cert_t:dir { getattr search };
#allow mlogc_t cert_t:file { read getattr open lock };
dontaudit mlogc_t cert_t:dir write; dontaudit mlogc_t cert_t:dir write;
dontaudit mlogc_t cert_t:file write; dontaudit mlogc_t cert_t:file write;
allow mlogc_t cert_t:file read; allow mlogc_t cert_t:file read;
# urandom # urandom
allow mlogc_t urandom_device_t:chr_file { read getattr open }; dev_read_urand(mlogc_t)
# passwd
allow mlogc_t passwd_file_t:file { getattr read open };
#allow mlogc_t http_port_t:tcp_socket { create connect name_connect getopt getattr setopt };
#allow mlogc_t cert_t:dir { write getattr };
#allow mlogc_t cert_t:file { read write getattr open lock };
#allow mlogc_t httpd_log_t:file append;
#allow mlogc_t init_t:unix_stream_socket { read write };
#allow mlogc_t mlogc_log_t:file { read getattr append };
#allow mlogc_t self:capability dac_override;
#allow mlogc_t self:tcp_socket { write getattr setopt read getopt create connect };
#allow mlogc_t urandom_device_t:chr_file { read getattr open }; #allow mlogc_t urandom_device_t:chr_file { read getattr open };
# passwd
auth_read_passwd(mlogc_t)
#allow mlogc_t passwd_file_t:file { getattr read open };