diff --git a/ossec.fc b/ossec.fc index ba5d00c..a06e327 100644 --- a/ossec.fc +++ b/ossec.fc @@ -18,6 +18,8 @@ /var/ossec/etc(/.*)? gen_context(system_u:object_r:ossec_etc_t,s0) /var/ossec/rules(/.*)? gen_context(system_u:object_r:ossec_rule_t,s0) -/var/ossec/bin(/.*)? gen_context(system_u:object_r:ossec_bin_t,s0) +/var/ossec/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/ossec/active-response(/.*)? gen_context(system_u:object_r:ossec_script_t,s0) +/var/ossec/bin/ossec-control -- gen_context(system_u:object_r:ossec_exec_t,s0) + diff --git a/ossec.te b/ossec.te index 1cc885e..e889ca2 100644 --- a/ossec.te +++ b/ossec.te @@ -1,5 +1,5 @@ -policy_module(ossec,1.0.6) +policy_module(ossec,1.0.11) ######################################## # @@ -53,6 +53,7 @@ require { type ossec_stats_t; type ossec_queue_t; type ossec_script_t; + type httpd_t; class file { rename read lock create write getattr unlink open append }; class dir { write getattr read remove_name create add_name }; } @@ -63,3 +64,19 @@ require { # ossec local policy # + +#============= ossec_t ============== + + +#============= httpd_t ============== +allow httpd_t ossec_log_t:dir { read }; +allow httpd_t ossec_log_t:file { open read getattr }; + +allow httpd_t ossec_queue_t:dir { read }; +allow httpd_t ossec_queue_t:file { open read getattr }; + +allow httpd_t ossec_stats_t:dir { read }; +allow httpd_t ossec_stats_t:file { open read getattr }; + + +