policy_module(mlogc,1.0.49)

########################################
#
# Declarations
#

type mlogc_t;
type mlogc_exec_t;
role system_r types mlogc_t;
domain_type(mlogc_t)
domain_entry_file(mlogc_t, mlogc_exec_t)

optional_policy(`
	mlogc_domtrans(httpd_t)
')

type mlogc_log_t;
logging_log_file(mlogc_log_t)

type mlogc_tmp_t;
files_tmp_file(mlogc_tmp_t)

require {
	type cert_t;
	type mlogc_log_t;
	type urandom_device_t;
	type mlogc_t;
	type httpd_t;
	type httpd_log_t;
	type tmp_t;
        type passwd_file_t;
        type http_port_t;
        class process { siginh signal noatsecure rlimitinh };
        class unix_stream_socket { read write };
        class chr_file { read getattr open };
        class capability dac_override;
        class tcp_socket { write getattr setopt read getopt create name_connect connect };
        class file { rename read lock create write getattr unlink open append };
        class dir { write getattr read remove_name create add_name };
}


########################################
#
# mlogc local policy
#

#============= httpd_t ==============

#allow httpd_t mlogc_exec_t:file { read open execute };
#allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
allow httpd_t mlogc_t:process { signal };
allow httpd_t mlogc_log_t:dir { write create add_name };
allow httpd_t mlogc_log_t:file { write create open };

#============= mlogc_t ==============

# init
allow mlogc_t self:capability dac_override;

# log files
allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)

create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
logging_log_filetrans(mlogc_t, mlogc_log_t, file)

append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)

# tmp files
allow mlogc_t mlogc_tmp_t:file manage_file_perms;
files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)

# tcp_socket
corenet_tcp_connect_http_port(mlogc_t)
#allow mlogc_t http_port_t:tcp_socket name_connect;
allow mlogc_t self:tcp_socket create_socket_perms;
#allow mlogc_t self:tcp_socket { write read };
#allow mlogc_t self:tcp_socket { connect getopt getattr create setopt };

# nss cert files
miscfiles_read_generic_certs(mlogc_t)
#allow mlogc_t cert_t:dir { getattr search };
#allow mlogc_t cert_t:file { read getattr open lock };

dontaudit mlogc_t cert_t:dir write;
dontaudit mlogc_t cert_t:file write;
allow mlogc_t cert_t:file read;

# urandom
dev_read_urand(mlogc_t)
#allow mlogc_t urandom_device_t:chr_file { read getattr open };

# passwd
auth_read_passwd(mlogc_t)
#allow mlogc_t passwd_file_t:file { getattr read open };