Moment of truth, added ossec_exec_t for ossec-control
This commit is contained in:
parent
bb86201bef
commit
99edc431fa
2 changed files with 21 additions and 2 deletions
4
ossec.fc
4
ossec.fc
|
|
@ -18,6 +18,8 @@
|
|||
/var/ossec/etc(/.*)? gen_context(system_u:object_r:ossec_etc_t,s0)
|
||||
/var/ossec/rules(/.*)? gen_context(system_u:object_r:ossec_rule_t,s0)
|
||||
|
||||
/var/ossec/bin(/.*)? gen_context(system_u:object_r:ossec_bin_t,s0)
|
||||
/var/ossec/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/var/ossec/active-response(/.*)? gen_context(system_u:object_r:ossec_script_t,s0)
|
||||
|
||||
/var/ossec/bin/ossec-control -- gen_context(system_u:object_r:ossec_exec_t,s0)
|
||||
|
||||
|
|
|
|||
19
ossec.te
19
ossec.te
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(ossec,1.0.6)
|
||||
policy_module(ossec,1.0.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -53,6 +53,7 @@ require {
|
|||
type ossec_stats_t;
|
||||
type ossec_queue_t;
|
||||
type ossec_script_t;
|
||||
type httpd_t;
|
||||
class file { rename read lock create write getattr unlink open append };
|
||||
class dir { write getattr read remove_name create add_name };
|
||||
}
|
||||
|
|
@ -63,3 +64,19 @@ require {
|
|||
# ossec local policy
|
||||
#
|
||||
|
||||
|
||||
#============= ossec_t ==============
|
||||
|
||||
|
||||
#============= httpd_t ==============
|
||||
allow httpd_t ossec_log_t:dir { read };
|
||||
allow httpd_t ossec_log_t:file { open read getattr };
|
||||
|
||||
allow httpd_t ossec_queue_t:dir { read };
|
||||
allow httpd_t ossec_queue_t:file { open read getattr };
|
||||
|
||||
allow httpd_t ossec_stats_t:dir { read };
|
||||
allow httpd_t ossec_stats_t:file { open read getattr };
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue