diff --git a/ossec.fc b/ossec.fc index d4eb450..ad573c3 100644 --- a/ossec.fc +++ b/ossec.fc @@ -13,6 +13,9 @@ /var/ossec/agentless(/.*)? gen_context(system_u:object_r:ossec_var_t,s0) /var/ossec/var/run(/.*)? gen_context(system_u:object_r:ossec_var_run_t,s0) +/var/ossec/var/execd\.sqlite -- gen_context(system_u:object_r:ossec_execd_file_t,s0) +/var/ossec/var/execd\.sqlite-journal -- gen_context(system_u:object_r:ossec_execd_journal_t,s0) +#/var/ossec/var/execd\.sqlite(-.*)? -- gen_context(system_u:object_r:ossec_execd_file_t,s0) /var/ossec/var(/.*)? gen_context(system_u:object_r:ossec_var_t,s0) /var/ossec/tmp(/.*)? gen_context(system_u:object_r:ossec_tmp_t,s0) diff --git a/ossec.te b/ossec.te index 5d035a4..8e79580 100644 --- a/ossec.te +++ b/ossec.te @@ -1,5 +1,5 @@ -policy_module(ossec,1.0.176) +policy_module(ossec,1.0.186) ######################################## # @@ -20,6 +20,12 @@ type ossec_execd_t; type ossec_execd_exec_t; init_daemon_domain(ossec_execd_t, ossec_execd_exec_t) +type ossec_execd_file_t; +files_type(ossec_execd_file_t) + +type ossec_execd_journal_t; +files_type(ossec_execd_journal_t) + # ossec-analysisd daemon type ossec_analysisd_t; type ossec_analysisd_exec_t; @@ -122,48 +128,48 @@ unconfined_domain(ossec_ar_t) ### require { - type ossec_bin_t; + #type ossec_bin_t; - type ossec_maild_t; - type ossec_maild_exec_t; - type ossec_execd_t; - type ossec_execd_exec_t; - type ossec_analysisd_t; - type ossec_analysisd_exec_t; - type ossec_logcollector_t; - type ossec_logcollector_exec_t; - type ossec_remoted_t; - type ossec_remoted_exec_t; - type ossec_syscheckd_t; - type ossec_syscheckd_exec_t; - type ossec_monitord_t; - type ossec_monitord_exec_t; - type ossec_dbd_t; - type ossec_dbd_exec_t; - type ossec_csyslogd_t; - type ossec_csyslogd_exec_t; - type ossec_agentlessd_t; - type ossec_agentlessd_exec_t; + #type ossec_maild_t; + #type ossec_maild_exec_t; + #type ossec_execd_t; + #type ossec_execd_exec_t; + #type ossec_analysisd_t; + #type ossec_analysisd_exec_t; + #type ossec_logcollector_t; + #type ossec_logcollector_exec_t; + #type ossec_remoted_t; + #type ossec_remoted_exec_t; + #type ossec_syscheckd_t; + #type ossec_syscheckd_exec_t; + #type ossec_monitord_t; + #type ossec_monitord_exec_t; + #type ossec_dbd_t; + #type ossec_dbd_exec_t; + #type ossec_csyslogd_t; + #type ossec_csyslogd_exec_t; + #type ossec_agentlessd_t; + #type ossec_agentlessd_exec_t; - type ossec_var_t; - type ossec_tmp_t; - type ossec_log_t; - type ossec_etc_t; - type ossec_rule_t; - type ossec_stats_t; - type ossec_queue_t; + #type ossec_var_t; + #type ossec_tmp_t; + #type ossec_log_t; + #type ossec_etc_t; + #type ossec_rule_t; + #type ossec_stats_t; + #type ossec_queue_t; - type ossec_ar_t; - type ossec_ar_bin_t; - type ossec_ar_exec_t; + #type ossec_ar_t; + #type ossec_ar_bin_t; + #type ossec_ar_exec_t; - type var_log_t; + #type var_log_t; type httpd_t; - type httpd_log_t; - type unreserved_port_t; - type smtp_port_t; - type node_t; - type shell_exec_t; + #type httpd_log_t; + #type unreserved_port_t; + #type smtp_port_t; + #type node_t; + #type shell_exec_t; class file { rename read lock create write getattr unlink open append entrypoint }; class dir { write getattr read remove_name create add_name }; class process { setsched transition rlimitinh siginh noatsecure }; @@ -197,8 +203,10 @@ allow ossec_maild_t ossec_log_t:file { create_file_perms append_file_perms read ossec_log_filetrans(ossec_maild_t, ossec_log_t, file) # Sockets -allow ossec_maild_t self:tcp_socket { create connect read write }; -allow ossec_maild_t smtp_port_t:tcp_socket { name_connect }; +allow ossec_maild_t self:tcp_socket create_socket_perms; +corenet_tcp_connect_smtp_port(ossec_maild_t) +#allow ossec_maild_t self:tcp_socket { create connect read write }; +#allow ossec_maild_t smtp_port_t:tcp_socket { name_connect }; #============= ossec_execd_t ============== @@ -214,8 +222,14 @@ ossec_read_config(ossec_execd_t) search_dirs_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t) read_files_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t) +#allow ossec_execd_t ossec_var_t:dir { write add_name }; +allow ossec_execd_t ossec_execd_file_t:file { create_file_perms rw_file_perms }; +allow ossec_execd_t ossec_execd_journal_t:file manage_file_perms; +filetrans_pattern(ossec_execd_t, ossec_var_t, ossec_execd_journal_t, file, "execd.sqlite-journal"); + # var run dir -allow ossec_execd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; +#allow ossec_execd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; +allow ossec_execd_t ossec_var_run_t:file manage_file_perms; ossec_pid_filetrans(ossec_execd_t, ossec_var_run_t, file) # queue dir @@ -228,7 +242,8 @@ ossec_log_filetrans(ossec_execd_t, ossec_log_t, file) # active-response scripts search_dirs_pattern(ossec_execd_t, ossec_ar_bin_t, ossec_ar_bin_t) -exec_files_pattern(ossec_execd_t, shell_exec_t, shell_exec_t) +#exec_files_pattern(ossec_execd_t, shell_exec_t, shell_exec_t) +corecmd_exec_shell(ossec_execd_t) # dgram socket allow ossec_execd_t self:unix_dgram_socket { create bind getopt read write }; @@ -269,7 +284,7 @@ create_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) # logs -allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms read }; +allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms read link unlink }; ossec_log_filetrans(ossec_analysisd_t, ossec_log_t, file) # rules dir @@ -302,9 +317,11 @@ manage_sock_files_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t) allow ossec_logcollector_t ossec_log_t:file { create_file_perms append_file_perms read }; ossec_log_filetrans(ossec_logcollector_t, ossec_log_t, file) -search_dirs_pattern(ossec_logcollector_t, httpd_log_t, httpd_log_t) -read_files_pattern(ossec_logcollector_t, httpd_log_t, httpd_log_t) -read_files_pattern(ossec_logcollector_t, var_log_t, var_log_t) +# Access all system logs: +logging_read_all_logs(ossec_logcollector_t) +#search_dirs_pattern(ossec_logcollector_t, httpd_log_t, httpd_log_t) +#read_files_pattern(ossec_logcollector_t, httpd_log_t, httpd_log_t) +#read_files_pattern(ossec_logcollector_t, var_log_t, var_log_t) # dgram socket allow ossec_logcollector_t self:unix_dgram_socket { create bind getopt connect write }; @@ -339,11 +356,14 @@ allow ossec_remoted_t ossec_log_t:file { create_file_perms append_file_perms rea ossec_log_filetrans(ossec_remoted_t, ossec_log_t, file) # Sockets -allow ossec_remoted_t self:udp_socket { create bind read write }; -allow ossec_remoted_t unreserved_port_t:udp_socket { name_bind }; -allow ossec_remoted_t node_t:udp_socket { node_bind }; +allow ossec_remoted_t self:udp_socket create_stream_socket_perms; +corenet_udp_bind_all_unreserved_ports(ossec_remoted_t) +corenet_udp_bind_generic_node(ossec_remoted_t) +#allow ossec_remoted_t self:udp_socket { create bind read write }; +#allow ossec_remoted_t unreserved_port_t:udp_socket { name_bind }; +#allow ossec_remoted_t node_t:udp_socket { node_bind }; -allow ossec_remoted_t self:tcp_socket { create bind }; +#allow ossec_remoted_t self:tcp_socket { create bind }; # dgram socket allow ossec_remoted_t self:unix_dgram_socket { create bind getopt connect read write };