policy_module(mlogc,1.0.39)

########################################
#
# Declarations
#

type mlogc_t;
type mlogc_exec_t;
mlogc_domtrans(httpd_t)
#role system_r types mlogc_t;
#domain_type(mlogc_t)
#domain_entry_file(mlogc_t, mlogc_exec_t)

type mlogc_log_t;
logging_log_file(mlogc_log_t)

#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;

type mlogc_tmp_t;
files_tmp_file(mlogc_tmp_t)

require {
	#type cert_t;
	type mlogc_log_t;
	#type urandom_device_t;
	type mlogc_t;
	type httpd_t;
	type httpd_log_t;
	type tmp_t;
        type passwd_file_t;
        type http_port_t;
        #type init_t;
        class process { siginh signal noatsecure rlimitinh };
        class unix_stream_socket { read write };
        class chr_file { read getattr open };
        class capability dac_override;
        class tcp_socket { write getattr setopt read getopt create name_connect connect };
        class file { rename read lock create write getattr unlink open append };
        class dir { write getattr read remove_name create add_name };
}

#type_transition httpd_t mlogc_log_t:file mlogc_log_t;
#type_transition httpd_log_t mlogc_log_t:file mlogc_log_t;
#type_change httpd_log_t mlogc_log_t:file mlogc_log_t;

#domtrans_pattern(httpd_t, mlogc_exec_t, mlogc_t)
#type_transition mlogc_t mlogc_log_t:file mlogc_log_t;

#type_transition mlogc_t mlogc_log_t:dir mlogc_log_t;
#domtrans_pattern(mlogc_t, mlogc_exec_t, mlogc_log_t)

########################################
#
# mlogc local policy
#

allow httpd_t mlogc_exec_t:file { read open execute };

allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
#read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)

create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
logging_log_filetrans(mlogc_t, mlogc_log_t, file)

append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)


allow mlogc_t mlogc_tmp_t:file manage_file_perms;
files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)



##allow httpd_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
##allow httpd_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
#allow httpd_t mlogc_log_t:dir { add_name remove_name create write };
#allow httpd_t mlogc_log_t:file { create open rename read write unlink };
#allow httpd_t mlogc_exec_t:file { read open execute };
##allow httpd_log_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create };
##allow httpd_log_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
##allow httpd_log_t mlogc_exec_t:file { read open };


#allow mlogc_t mlogc_log_t:dir { read getattr create write };
#allow mlogc_t mlogc_log_t:file { write rename unlink open };

##allow mlogc_t httpd_log_t:file { read_file_perms };
 
#dontaudit httpd_t cert_t:file write;
##allow mlogc_t cert_t:file read;

#============= httpd_t ==============
allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
allow httpd_t mlogc_log_t:dir { write create add_name };
allow httpd_t mlogc_log_t:file { write create open };

#============= mlogc_t ==============


#allow mlogc_t cert_t:dir { write getattr };
#allow mlogc_t cert_t:file { read write getattr open lock };
#allow mlogc_t http_port_t:tcp_socket name_connect;

#allow mlogc_t httpd_log_t:file append;
#allow mlogc_t init_t:unix_stream_socket { read write };
#allow mlogc_t mlogc_log_t:file { read getattr append };
#allow mlogc_t self:capability dac_override;
#allow mlogc_t self:tcp_socket { write getattr setopt read getopt create connect };

#allow mlogc_t urandom_device_t:chr_file { read getattr open };