104 lines
2.7 KiB
Plaintext
104 lines
2.7 KiB
Plaintext
|
|
policy_module(mlogc,1.0.49)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type mlogc_t;
|
|
type mlogc_exec_t;
|
|
role system_r types mlogc_t;
|
|
domain_type(mlogc_t)
|
|
domain_entry_file(mlogc_t, mlogc_exec_t)
|
|
|
|
optional_policy(`
|
|
mlogc_domtrans(httpd_t)
|
|
')
|
|
|
|
type mlogc_log_t;
|
|
logging_log_file(mlogc_log_t)
|
|
|
|
type mlogc_tmp_t;
|
|
files_tmp_file(mlogc_tmp_t)
|
|
|
|
require {
|
|
type cert_t;
|
|
type mlogc_log_t;
|
|
type urandom_device_t;
|
|
type mlogc_t;
|
|
type httpd_t;
|
|
type httpd_log_t;
|
|
type tmp_t;
|
|
type passwd_file_t;
|
|
type http_port_t;
|
|
class process { siginh signal noatsecure rlimitinh };
|
|
class unix_stream_socket { read write };
|
|
class chr_file { read getattr open };
|
|
class capability dac_override;
|
|
class tcp_socket { write getattr setopt read getopt create name_connect connect };
|
|
class file { rename read lock create write getattr unlink open append };
|
|
class dir { write getattr read remove_name create add_name };
|
|
}
|
|
|
|
|
|
########################################
|
|
#
|
|
# mlogc local policy
|
|
#
|
|
|
|
#============= httpd_t ==============
|
|
|
|
#allow httpd_t mlogc_exec_t:file { read open execute };
|
|
#allow httpd_t mlogc_t:process { siginh signal noatsecure rlimitinh };
|
|
allow httpd_t mlogc_t:process { signal };
|
|
allow httpd_t mlogc_log_t:dir { write create add_name };
|
|
allow httpd_t mlogc_log_t:file { write create open };
|
|
|
|
#============= mlogc_t ==============
|
|
|
|
# init
|
|
allow mlogc_t self:capability dac_override;
|
|
|
|
# log files
|
|
allow mlogc_t mlogc_log_t:dir setattr_dir_perms;
|
|
rw_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
create_dirs_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
|
|
create_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
rw_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
rename_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
delete_files_pattern(mlogc_t, mlogc_log_t, mlogc_log_t)
|
|
logging_log_filetrans(mlogc_t, mlogc_log_t, file)
|
|
|
|
append_files_pattern(mlogc_t, httpd_log_t, httpd_log_t)
|
|
|
|
# tmp files
|
|
allow mlogc_t mlogc_tmp_t:file manage_file_perms;
|
|
files_tmp_filetrans(mlogc_t,mlogc_tmp_t,file)
|
|
|
|
# tcp_socket
|
|
corenet_tcp_connect_http_port(mlogc_t)
|
|
#allow mlogc_t http_port_t:tcp_socket name_connect;
|
|
allow mlogc_t self:tcp_socket create_socket_perms;
|
|
#allow mlogc_t self:tcp_socket { write read };
|
|
#allow mlogc_t self:tcp_socket { connect getopt getattr create setopt };
|
|
|
|
# nss cert files
|
|
miscfiles_read_generic_certs(mlogc_t)
|
|
#allow mlogc_t cert_t:dir { getattr search };
|
|
#allow mlogc_t cert_t:file { read getattr open lock };
|
|
|
|
dontaudit mlogc_t cert_t:dir write;
|
|
dontaudit mlogc_t cert_t:file write;
|
|
allow mlogc_t cert_t:file read;
|
|
|
|
# urandom
|
|
dev_read_urand(mlogc_t)
|
|
#allow mlogc_t urandom_device_t:chr_file { read getattr open };
|
|
|
|
# passwd
|
|
auth_read_passwd(mlogc_t)
|
|
#allow mlogc_t passwd_file_t:file { getattr read open };
|
|
|