policy_module(mlogc,1.0.39) ######################################## # # Declarations # type mlogc_t; type mlogc_exec_t; mlogc_domtrans(httpd_t) #role system_r types mlogc_t; #domain_type(mlogc_t) #domain_entry_file(mlogc_t, mlogc_exec_t) type mlogc_log_t; logging_log_file(mlogc_log_t) #type_transition mlogc_t mlogc_log_t:dir mlogc_log_t; type mlogc_tmp_t; files_tmp_file(mlogc_tmp_t) require { #type cert_t; type mlogc_log_t; #type urandom_device_t; type mlogc_t; type httpd_t; type httpd_log_t; type tmp_t; type passwd_file_t; type http_port_t; #type init_t; class process { siginh signal noatsecure rlimitinh }; class unix_stream_socket { read write }; class chr_file { read getattr open }; class capability dac_override; class tcp_socket { write getattr setopt read getopt create name_connect connect }; class file { rename read lock create write getattr unlink open append }; class dir { write getattr read remove_name create add_name }; } #type_transition httpd_t mlogc_log_t:file mlogc_log_t; #type_transition httpd_log_t mlogc_log_t:file mlogc_log_t; #type_change httpd_log_t mlogc_log_t:file mlogc_log_t; #domtrans_pattern(httpd_t, mlogc_exec_t, mlogc_t) #type_transition mlogc_t mlogc_log_t:file mlogc_log_t; #type_transition mlogc_t mlogc_log_t:dir mlogc_log_t; #domtrans_pattern(mlogc_t, mlogc_exec_t, mlogc_log_t) ######################################## # # mlogc local policy # allow httpd_t mlogc_exec_t:file { read open execute }; allow mlogc_t mlogc_log_t:dir setattr_dir_perms; rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t) create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t) #append_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t) #read_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t) #read_lnk_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t) create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t) rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t) rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t) delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t) logging_log_filetrans(mlogc_t, mlogc_log_t, file) append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t) allow mlogc_t mlogc_tmp_t:file manage_file_perms; files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file) ##allow httpd_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create }; ##allow httpd_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock }; #allow httpd_t mlogc_log_t:dir { add_name remove_name create write }; #allow httpd_t mlogc_log_t:file { create open rename read write unlink }; #allow httpd_t mlogc_exec_t:file { read open execute }; ##allow httpd_log_t mlogc_log_t:dir { read getattr lock search ioctl add_name remove_name write create }; ##allow httpd_log_t mlogc_log_t:file { create open getattr setattr read write append rename link unlink ioctl lock }; ##allow httpd_log_t mlogc_exec_t:file { read open }; #allow mlogc_t mlogc_log_t:dir { read getattr create write }; #allow mlogc_t mlogc_log_t:file { write rename unlink open }; ##allow mlogc_t httpd_log_t:file { read_file_perms }; #dontaudit httpd_t cert_t:file write; ##allow mlogc_t cert_t:file read; #============= httpd_t ============== allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh }; allow httpd_t mlogc_log_t:dir { write create add_name }; allow httpd_t mlogc_log_t:file { write create open }; #============= mlogc_t ============== #allow mlogc_t cert_t:dir { write getattr }; #allow mlogc_t cert_t:file { read write getattr open lock }; #allow mlogc_t http_port_t:tcp_socket name_connect; #allow mlogc_t httpd_log_t:file append; #allow mlogc_t init_t:unix_stream_socket { read write }; #allow mlogc_t mlogc_log_t:file { read getattr append }; #allow mlogc_t self:capability dac_override; #allow mlogc_t self:tcp_socket { write getattr setopt read getopt create connect }; #allow mlogc_t urandom_device_t:chr_file { read getattr open };