diff --git a/ossec.te b/ossec.te index f1d0183..233035a 100644 --- a/ossec.te +++ b/ossec.te @@ -1,5 +1,5 @@ -policy_module(ossec,1.0.238) +policy_module(ossec,1.0.239) ######################################## # @@ -33,10 +33,13 @@ files_type(ossec_execd_sock_t) type ossec_analysisd_t; type ossec_analysisd_exec_t; init_daemon_domain(ossec_analysisd_t, ossec_analysisd_exec_t) + type ossec_analysisd_configfile_t; files_config_file(ossec_analysisd_configfile_t) + type ossec_analysisd_file_t; files_type(ossec_analysisd_file_t) + type ossec_analysisd_sock_t; files_type(ossec_analysisd_sock_t) @@ -49,10 +52,13 @@ init_daemon_domain(ossec_logcollector_t, ossec_logcollector_exec_t) type ossec_remoted_t; type ossec_remoted_exec_t; init_daemon_domain(ossec_remoted_t, ossec_remoted_exec_t) + type ossec_remoted_configfile_t; files_config_file(ossec_remoted_configfile_t); + type ossec_remoted_file_t; files_type(ossec_remoted_file_t) + type ossec_remoted_sock_t; files_type(ossec_remoted_sock_t) @@ -137,7 +143,7 @@ require { type httpd_t; class file { rename read lock create write getattr unlink open append entrypoint }; - class dir { write getattr read remove_name create add_name }; + #class dir { write getattr read remove_name create add_name }; class process { setsched transition rlimitinh siginh noatsecure }; class capability { dac_override dac_read_search setuid setgid fsetid sys_chroot sys_nice }; class tcp_socket { create name_bind name_connect }; @@ -184,7 +190,6 @@ allow ossec_execd_t self:capability { dac_override dac_read_search setgid }; ossec_read_config(ossec_execd_t) sysnet_read_config(ossec_execd_t) -#allow ossec_execd_t ossec_var_t:dir { write add_name }; allow ossec_execd_t ossec_execd_file_t:file { create_file_perms rw_file_perms }; allow ossec_execd_t ossec_execd_journal_t:file manage_file_perms; filetrans_pattern(ossec_execd_t, ossec_var_t, ossec_execd_journal_t, file, "execd.sqlite-journal"); @@ -196,10 +201,6 @@ ossec_pid_filetrans(ossec_execd_t, ossec_var_run_t, file) # queue dir ossec_queue_filetrans(ossec_execd_t, ossec_execd_sock_t, sock_file) manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_execd_sock_t) -#allow ossec_execd_t ossec_queue_t:dir rw_dir_perms; -#allow ossec_execd_t ossec_execd_sock_t:sock_file manage_sock_file_perms; -#rw_dirs_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t) -#manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t); # logs allow ossec_execd_t ossec_log_t:file { create_file_perms append_file_perms read }; @@ -211,7 +212,6 @@ corecmd_exec_shell(ossec_execd_t) # dgram socket allow ossec_execd_t self:unix_dgram_socket create_stream_socket_perms; -#allow ossec_execd_t self:unix_dgram_socket { create bind getopt read write }; # Read urandom dev_read_urand(ossec_execd_t) @@ -245,13 +245,6 @@ manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_analysisd_sock dgram_send_pattern(ossec_analysisd_t, ossec_queue_t, ossec_execd_sock_t, ossec_execd_t) dgram_send_pattern(ossec_analysisd_t, ossec_queue_t, ossec_remoted_sock_t, ossec_remoted_t) -#allow ossec_analysisd_t ossec_queue_t:dir rw_dir_perms; - -#manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_analysisd_sock_t) -#rw_dirs_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) -#rw_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) -#manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) - # stats dir append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) allow ossec_analysisd_t ossec_stats_t:file read_file_perms; @@ -266,9 +259,6 @@ read_files_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t) # dgram socket allow ossec_analysisd_t self:unix_dgram_socket create_stream_socket_perms; -#allow ossec_analysisd_t self:unix_dgram_socket { create bind getopt connect read write }; -##allow ossec_analysisd_t ossec_execd_t:unix_dgram_socket { sendto }; -#allow ossec_analysisd_t ossec_remoted_t:unix_dgram_socket { sendto }; #============= ossec_logcollector_t ============== @@ -286,8 +276,6 @@ ossec_pid_filetrans(ossec_logcollector_t, ossec_var_run_t, file) # queue dir dgram_send_pattern(ossec_logcollector_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t) -#search_dirs_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t) -#manage_sock_files_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t) # logs allow ossec_logcollector_t ossec_log_t:file { create_file_perms append_file_perms read }; @@ -295,14 +283,9 @@ ossec_log_filetrans(ossec_logcollector_t, ossec_log_t, file) # Access all system logs: logging_read_all_logs(ossec_logcollector_t) -#search_dirs_pattern(ossec_logcollector_t, httpd_log_t, httpd_log_t) -#read_files_pattern(ossec_logcollector_t, httpd_log_t, httpd_log_t) -#read_files_pattern(ossec_logcollector_t, var_log_t, var_log_t) # dgram socket allow ossec_logcollector_t self:unix_dgram_socket create_socket_perms; -#allow ossec_logcollector_t self:unix_dgram_socket { create bind getopt connect write }; -#allow ossec_logcollector_t ossec_analysisd_t:unix_dgram_socket { sendto }; #============= ossec_remoted_t ============== @@ -322,17 +305,12 @@ ossec_pid_filetrans(ossec_remoted_t, ossec_var_run_t, file) # queue dir dgram_send_pattern(ossec_remoted_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t) -#allow ossec_remoted_t ossec_queue_t:dir rw_dir_perms; ossec_queue_filetrans(ossec_remoted_t, ossec_remoted_sock_t, sock_file) manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_remoted_sock_t) # queue/rids/ rw_files_pattern(ossec_remoted_t, ossec_remoted_file_t, ossec_remoted_file_t) -#search_dirs_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t) -#rw_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t) -#manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t) - # logs allow ossec_remoted_t ossec_log_t:file { create_file_perms append_file_perms read }; ossec_log_filetrans(ossec_remoted_t, ossec_log_t, file) @@ -341,12 +319,9 @@ ossec_log_filetrans(ossec_remoted_t, ossec_log_t, file) allow ossec_remoted_t self:udp_socket create_stream_socket_perms; corenet_udp_bind_all_unreserved_ports(ossec_remoted_t) corenet_udp_bind_generic_node(ossec_remoted_t) -#allow ossec_remoted_t self:tcp_socket { create bind }; # dgram socket allow ossec_remoted_t self:unix_dgram_socket create_stream_socket_perms; -#allow ossec_remoted_t self:unix_dgram_socket { create bind getopt connect read write }; -#allow ossec_remoted_t ossec_analysisd_t:unix_dgram_socket { sendto }; #============= ossec_syscheckd_t ============== @@ -365,9 +340,6 @@ ossec_pid_filetrans(ossec_syscheckd_t, ossec_var_run_t, file) # queue dir dgram_send_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t) -#manage_sock_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_analysisd_sock_t) -#search_dirs_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t) -#manage_sock_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t) # logs allow ossec_syscheckd_t ossec_log_t:file { create_file_perms append_file_perms read }; @@ -375,11 +347,12 @@ ossec_log_filetrans(ossec_syscheckd_t, ossec_log_t, file) # dgram socket allow ossec_syscheckd_t self:unix_dgram_socket create_socket_perms; -#allow ossec_syscheckd_t self:unix_dgram_socket { create bind getopt connect write }; # Sockets -allow ossec_syscheckd_t self:udp_socket { create connect read write bind }; -allow ossec_syscheckd_t self:tcp_socket { create connect read write }; +allow ossec_syscheckd_t self:udp_socket create_socket_perms; +allow ossec_syscheckd_t self:tcp_socket create_socket_perms; +#allow ossec_syscheckd_t self:udp_socket { create connect read write bind }; +#allow ossec_syscheckd_t self:tcp_socket { create connect read write }; # all the things files_read_all_files(ossec_syscheckd_t) @@ -407,20 +380,12 @@ dgram_send_pattern(ossec_monitord_t, ossec_queue_t, ossec_analysisd_sock_t, osse list_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_remoted_file_t) allow ossec_monitord_t ossec_remoted_file_t:file getattr_file_perms; -#allow ossec_monitord_t ossec_queue_t:dir list_dir_perms; -#allow ossec_monitord_t ossec_queue_t:file { getattr }; -#search_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t) -#read_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t) -#manage_sock_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t) - # logs allow ossec_monitord_t ossec_log_t:file { create_file_perms append_file_perms read }; ossec_log_filetrans(ossec_monitord_t, ossec_log_t, file) # dgram socket allow ossec_monitord_t self:unix_dgram_socket create_socket_perms; -#allow ossec_monitord_t self:unix_dgram_socket { create bind getopt connect write }; -#allow ossec_monitord_t ossec_analysisd_t:unix_dgram_socket { sendto }; #============= httpd_t ==============