Cleanup, refinement, suggestions from grift.

2015-11-24 15:34:00 -05:00 · 2015-11-24 15:34:00 -05:00 · 991f7835d9
commit 991f7835d9
parent 9f2084c8f7
2 changed files with 73 additions and 50 deletions
--- a/ossec.fc
+++ b/ossec.fc
@ -13,6 +13,9 @@
 /var/ossec/agentless(/.*)?                gen_context(system_u:object_r:ossec_var_t,s0)
 /var/ossec/var/run(/.*)?                  gen_context(system_u:object_r:ossec_var_run_t,s0)
 /var/ossec/var/execd\.sqlite           -- gen_context(system_u:object_r:ossec_execd_file_t,s0)
 /var/ossec/var/execd\.sqlite-journal   -- gen_context(system_u:object_r:ossec_execd_journal_t,s0)
 #/var/ossec/var/execd\.sqlite(-.*)?     -- gen_context(system_u:object_r:ossec_execd_file_t,s0)
 /var/ossec/var(/.*)?                      gen_context(system_u:object_r:ossec_var_t,s0)
 /var/ossec/tmp(/.*)?                      gen_context(system_u:object_r:ossec_tmp_t,s0)
--- a/ossec.te
+++ b/ossec.te
@ -1,5 +1,5 @@
-policy_module(ossec,1.0.176)
+policy_module(ossec,1.0.186)
 ########################################
 #
@ -20,6 +20,12 @@ type ossec_execd_t;
 type ossec_execd_exec_t;
 init_daemon_domain(ossec_execd_t, ossec_execd_exec_t)
 type ossec_execd_file_t;
 files_type(ossec_execd_file_t)
 type ossec_execd_journal_t;
 files_type(ossec_execd_journal_t)
 # ossec-analysisd daemon
 type ossec_analysisd_t;
 type ossec_analysisd_exec_t;
@ -122,48 +128,48 @@ unconfined_domain(ossec_ar_t)
 ###
 require {
-	type ossec_bin_t;
+	#type ossec_bin_t;
-	type ossec_maild_t;
+	#type ossec_maild_t;
-	type ossec_maild_exec_t;
+	#type ossec_maild_exec_t;
-	type ossec_execd_t;
+	#type ossec_execd_t;
-	type ossec_execd_exec_t;
+	#type ossec_execd_exec_t;
-	type ossec_analysisd_t;
+	#type ossec_analysisd_t;
-	type ossec_analysisd_exec_t;
+	#type ossec_analysisd_exec_t;
-	type ossec_logcollector_t;
+	#type ossec_logcollector_t;
-	type ossec_logcollector_exec_t;
+	#type ossec_logcollector_exec_t;
-	type ossec_remoted_t;
+	#type ossec_remoted_t;
-	type ossec_remoted_exec_t;
+	#type ossec_remoted_exec_t;
-	type ossec_syscheckd_t;
+	#type ossec_syscheckd_t;
-	type ossec_syscheckd_exec_t;
+	#type ossec_syscheckd_exec_t;
-	type ossec_monitord_t;
+	#type ossec_monitord_t;
-	type ossec_monitord_exec_t;
+	#type ossec_monitord_exec_t;
-	type ossec_dbd_t;
+	#type ossec_dbd_t;
-	type ossec_dbd_exec_t;
+	#type ossec_dbd_exec_t;
-	type ossec_csyslogd_t;
+	#type ossec_csyslogd_t;
-	type ossec_csyslogd_exec_t;
+	#type ossec_csyslogd_exec_t;
-	type ossec_agentlessd_t;
+	#type ossec_agentlessd_t;
-	type ossec_agentlessd_exec_t;
+	#type ossec_agentlessd_exec_t;
-	type ossec_var_t;
+	#type ossec_var_t;
-	type ossec_tmp_t;
+	#type ossec_tmp_t;
-	type ossec_log_t;
+	#type ossec_log_t;
-	type ossec_etc_t;
+	#type ossec_etc_t;
-	type ossec_rule_t;
+	#type ossec_rule_t;
-	type ossec_stats_t;
+	#type ossec_stats_t;
-	type ossec_queue_t;
+	#type ossec_queue_t;
-	type ossec_ar_t;
+	#type ossec_ar_t;
-	type ossec_ar_bin_t;
+	#type ossec_ar_bin_t;
-	type ossec_ar_exec_t;
+	#type ossec_ar_exec_t;
-	type var_log_t;
+	#type var_log_t;
 	type httpd_t;
-	type httpd_log_t;
+	#type httpd_log_t;
-	type unreserved_port_t;
+	#type unreserved_port_t;
-	type smtp_port_t;
+	#type smtp_port_t;
-	type node_t;
+	#type node_t;
-	type shell_exec_t;
+	#type shell_exec_t;
 	class file { rename read lock create write getattr unlink open append entrypoint };
 	class dir { write getattr read remove_name create add_name };
 	class process { setsched transition rlimitinh siginh noatsecure };
@ -197,8 +203,10 @@ allow ossec_maild_t ossec_log_t:file { create_file_perms append_file_perms read
 ossec_log_filetrans(ossec_maild_t, ossec_log_t, file)
 # Sockets
-allow ossec_maild_t self:tcp_socket { create connect read write };
+allow ossec_maild_t self:tcp_socket create_socket_perms;
-allow ossec_maild_t smtp_port_t:tcp_socket { name_connect };
+corenet_tcp_connect_smtp_port(ossec_maild_t)
 #allow ossec_maild_t self:tcp_socket { create connect read write };
 #allow ossec_maild_t smtp_port_t:tcp_socket { name_connect };
 #============= ossec_execd_t ==============
@ -214,8 +222,14 @@ ossec_read_config(ossec_execd_t)
 search_dirs_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t)
 read_files_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t)
 #allow ossec_execd_t ossec_var_t:dir { write add_name };
 allow ossec_execd_t ossec_execd_file_t:file { create_file_perms rw_file_perms };
 allow ossec_execd_t ossec_execd_journal_t:file manage_file_perms;
 filetrans_pattern(ossec_execd_t, ossec_var_t, ossec_execd_journal_t, file, "execd.sqlite-journal");
 # var run dir
-allow ossec_execd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink };
+#allow ossec_execd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink };
 allow ossec_execd_t ossec_var_run_t:file manage_file_perms;
 ossec_pid_filetrans(ossec_execd_t, ossec_var_run_t, file)
 # queue dir
@ -228,7 +242,8 @@ ossec_log_filetrans(ossec_execd_t, ossec_log_t, file)
 # active-response scripts
 search_dirs_pattern(ossec_execd_t, ossec_ar_bin_t, ossec_ar_bin_t)
-exec_files_pattern(ossec_execd_t, shell_exec_t, shell_exec_t)
+#exec_files_pattern(ossec_execd_t, shell_exec_t, shell_exec_t)
 corecmd_exec_shell(ossec_execd_t)
 # dgram socket
 allow ossec_execd_t self:unix_dgram_socket { create bind getopt read write };
@ -269,7 +284,7 @@ create_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
 append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
 # logs
-allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms read };
+allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms read link unlink };
 ossec_log_filetrans(ossec_analysisd_t, ossec_log_t, file)
 # rules dir
@ -302,9 +317,11 @@ manage_sock_files_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t)
 allow ossec_logcollector_t ossec_log_t:file { create_file_perms append_file_perms read };
 ossec_log_filetrans(ossec_logcollector_t, ossec_log_t, file)
-search_dirs_pattern(ossec_logcollector_t, httpd_log_t, httpd_log_t)
+# Access all system logs:
-read_files_pattern(ossec_logcollector_t, httpd_log_t, httpd_log_t)
+logging_read_all_logs(ossec_logcollector_t)
-read_files_pattern(ossec_logcollector_t, var_log_t, var_log_t)
+#search_dirs_pattern(ossec_logcollector_t, httpd_log_t, httpd_log_t)
 #read_files_pattern(ossec_logcollector_t, httpd_log_t, httpd_log_t)
 #read_files_pattern(ossec_logcollector_t, var_log_t, var_log_t)
 # dgram socket
 allow ossec_logcollector_t self:unix_dgram_socket { create bind getopt connect write }; 
@ -339,11 +356,14 @@ allow ossec_remoted_t ossec_log_t:file { create_file_perms append_file_perms rea
 ossec_log_filetrans(ossec_remoted_t, ossec_log_t, file)
 # Sockets
-allow ossec_remoted_t self:udp_socket { create bind read write };
+allow ossec_remoted_t self:udp_socket create_stream_socket_perms;
-allow ossec_remoted_t unreserved_port_t:udp_socket { name_bind };
+corenet_udp_bind_all_unreserved_ports(ossec_remoted_t)
-allow ossec_remoted_t node_t:udp_socket { node_bind };
+corenet_udp_bind_generic_node(ossec_remoted_t)
 #allow ossec_remoted_t self:udp_socket { create bind read write };
 #allow ossec_remoted_t unreserved_port_t:udp_socket { name_bind };
 #allow ossec_remoted_t node_t:udp_socket { node_bind };
-allow ossec_remoted_t self:tcp_socket { create bind };
+#allow ossec_remoted_t self:tcp_socket { create bind };
 # dgram socket
 allow ossec_remoted_t self:unix_dgram_socket { create bind getopt connect read write };