diff --git a/ossec.te b/ossec.te index 30b583e..5d035a4 100644 --- a/ossec.te +++ b/ossec.te @@ -1,5 +1,5 @@ -policy_module(ossec,1.0.175) +policy_module(ossec,1.0.176) ######################################## # @@ -64,9 +64,9 @@ init_daemon_domain(ossec_agentlessd_t, ossec_agentlessd_exec_t) type ossec_initrc_exec_t; init_script_file(ossec_initrc_exec_t) -optional_policy(` - ossec_domtrans(httpd_t) -') +#optional_policy(` +# ossec_domtrans(httpd_t) +#') # ossec var dir type ossec_var_t; @@ -164,7 +164,6 @@ require { type smtp_port_t; type node_t; type shell_exec_t; - type unconfined_t; class file { rename read lock create write getattr unlink open append entrypoint }; class dir { write getattr read remove_name create add_name }; class process { setsched transition rlimitinh siginh noatsecure }; @@ -189,9 +188,6 @@ allow ossec_maild_t self:capability { dac_override dac_read_search setuid setgid # etc dir ossec_read_config(ossec_maild_t) -# var dir -#search_dirs_pattern(ossec_maild_t, ossec_var_t, ossec_var_t) - # var run dir allow ossec_maild_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; ossec_pid_filetrans(ossec_maild_t, ossec_var_run_t, file) @@ -199,10 +195,6 @@ ossec_pid_filetrans(ossec_maild_t, ossec_var_run_t, file) # logs allow ossec_maild_t ossec_log_t:file { create_file_perms append_file_perms read }; ossec_log_filetrans(ossec_maild_t, ossec_log_t, file) -#search_dirs_pattern(ossec_maild_t, ossec_log_t, ossec_log_t) -#read_files_pattern(ossec_maild_t, ossec_log_t, ossec_log_t) -#allow ossec_maild_t ossec_log_t:file { create_file_perms append_file_perms }; -#logging_log_filetrans(ossec_maild_t, ossec_log_t, file) # Sockets allow ossec_maild_t self:tcp_socket { create connect read write }; @@ -221,14 +213,6 @@ ossec_read_config(ossec_execd_t) # etc share dir search_dirs_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t) read_files_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t) -#manage_files_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t) - -# var dir -##search_dirs_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) -#rw_dirs_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) -##rw_files_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) -##create_files_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) -#manage_files_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) # var run dir allow ossec_execd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; @@ -241,10 +225,6 @@ manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t); # logs allow ossec_execd_t ossec_log_t:file { create_file_perms append_file_perms read }; ossec_log_filetrans(ossec_execd_t, ossec_log_t, file) -#search_dirs_pattern(ossec_execd_t, ossec_log_t, ossec_log_t) -#read_files_pattern(ossec_execd_t, ossec_log_t, ossec_log_t) -#allow ossec_execd_t ossec_log_t:file { create_file_perms append_file_perms }; -#logging_log_filetrans(ossec_execd_t, ossec_log_t, file) # active-response scripts search_dirs_pattern(ossec_execd_t, ossec_ar_bin_t, ossec_ar_bin_t) @@ -258,12 +238,6 @@ dev_read_urand(ossec_execd_t) # Run autoresponce unconstrained allow ossec_execd_t ossec_ar_t:process { rlimitinh siginh noatsecure }; -#allow ossec_execd_t ossec_script_t:process { rlimitinh siginh noatsecure }; -##allow ossec_execd_t unconfined_t:process { transition rlimitinh siginh noatsecure }; -##allow unconfined_t ossec_script_exec_t:file { entrypoint }; - -###unconfined_domtrans(ossec_script_t) -###unconfined_run(ossec_execd_t, ossec_script_t) #============= ossec_analysisd_t ============== @@ -279,13 +253,6 @@ ossec_read_config(ossec_analysisd_t) search_dirs_pattern(ossec_analysisd_t, ossec_etc_share_t, ossec_etc_share_t) manage_files_pattern(ossec_analysisd_t, ossec_etc_share_t, ossec_etc_share_t) -# var dir -#search_dirs_pattern(ossec_analysisd_t, ossec_var_t, ossec_var_t) -##rw_dirs_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) -###rw_files_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) -###create_files_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) -###manage_files_pattern(ossec_execd_t, ossec_var_t, ossec_var_t) - # var run dir allow ossec_analysisd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; ossec_pid_filetrans(ossec_analysisd_t, ossec_var_run_t, file) @@ -304,13 +271,6 @@ append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) # logs allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms read }; ossec_log_filetrans(ossec_analysisd_t, ossec_log_t, file) -##search_dirs_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -#add_entry_dirs_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -#manage_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -##read_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -##delete_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -##allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms }; -#logging_log_filetrans(ossec_analysisd_t, ossec_log_t, file) # rules dir search_dirs_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t) @@ -325,35 +285,22 @@ allow ossec_analysisd_t ossec_remoted_t:unix_dgram_socket { sendto }; #============= ossec_logcollector_t ============== # init -##auth_read_passwd(ossec_execd_t) allow ossec_logcollector_t self:capability { dac_override dac_read_search }; # etc dir ossec_read_config(ossec_logcollector_t) -# var dir -#search_dirs_pattern(ossec_logcollector_t, ossec_var_t, ossec_var_t) - # var run dir allow ossec_logcollector_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; ossec_pid_filetrans(ossec_logcollector_t, ossec_var_run_t, file) # queue dir search_dirs_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t) -#rw_dirs_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) -#rw_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) manage_sock_files_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t) # logs allow ossec_logcollector_t ossec_log_t:file { create_file_perms append_file_perms read }; ossec_log_filetrans(ossec_logcollector_t, ossec_log_t, file) -#search_dirs_pattern(ossec_logcollector_t, ossec_log_t, ossec_log_t) -##add_entry_dirs_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -##manage_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -#read_files_pattern(ossec_logcollector_t, ossec_log_t, ossec_log_t) -###delete_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -###allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms }; -#logging_log_filetrans(ossec_logcollector_t, ossec_log_t, file) search_dirs_pattern(ossec_logcollector_t, httpd_log_t, httpd_log_t) read_files_pattern(ossec_logcollector_t, httpd_log_t, httpd_log_t) @@ -378,29 +325,18 @@ search_dirs_pattern(ossec_remoted_t, ossec_etc_share_t, ossec_etc_share_t) read_files_pattern(ossec_remoted_t, ossec_etc_share_t, ossec_etc_share_t) manage_files_pattern(ossec_remoted_t, ossec_etc_share_t, ossec_etc_share_t) -# var dir -#search_dirs_pattern(ossec_remoted_t, ossec_var_t, ossec_var_t) - # var run dir allow ossec_remoted_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; ossec_pid_filetrans(ossec_remoted_t, ossec_var_run_t, file) # queue dir search_dirs_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t) -##rw_dirs_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) rw_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t) manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t) # logs allow ossec_remoted_t ossec_log_t:file { create_file_perms append_file_perms read }; ossec_log_filetrans(ossec_remoted_t, ossec_log_t, file) -#search_dirs_pattern(ossec_remoted_t, ossec_log_t, ossec_log_t) -##add_entry_dirs_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -##manage_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -#read_files_pattern(ossec_remoted_t, ossec_log_t, ossec_log_t) -###delete_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -###allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms }; -#logging_log_filetrans(ossec_remoted_t, ossec_log_t, file) # Sockets allow ossec_remoted_t self:udp_socket { create bind read write }; @@ -408,8 +344,6 @@ allow ossec_remoted_t unreserved_port_t:udp_socket { name_bind }; allow ossec_remoted_t node_t:udp_socket { node_bind }; allow ossec_remoted_t self:tcp_socket { create bind }; -#allow ossec_remoted_t unreserved_port_t:tcp_socket { name_bind }; -#allow ossec_remoted_t node_t:tcp_socket { node_bind }; # dgram socket allow ossec_remoted_t self:unix_dgram_socket { create bind getopt connect read write }; @@ -419,36 +353,23 @@ allow ossec_remoted_t ossec_analysisd_t:unix_dgram_socket { sendto }; #============= ossec_syscheckd_t ============== # init -#auth_read_passwd(ossec_syschecld_t) allow ossec_syscheckd_t self:capability { dac_override dac_read_search setuid setgid sys_chroot sys_nice }; allow ossec_syscheckd_t self:process { setsched }; # etc dir ossec_read_config(ossec_syscheckd_t) -# var dir -#search_dirs_pattern(ossec_syscheckd_t, ossec_var_t, ossec_var_t) - # var run dir allow ossec_syscheckd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; ossec_pid_filetrans(ossec_syscheckd_t, ossec_var_run_t, file) # queue dir search_dirs_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t) -##rw_dirs_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) -#rw_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t) manage_sock_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t) # logs allow ossec_syscheckd_t ossec_log_t:file { create_file_perms append_file_perms read }; ossec_log_filetrans(ossec_syscheckd_t, ossec_log_t, file) -#search_dirs_pattern(ossec_syscheckd_t, ossec_log_t, ossec_log_t) -##add_entry_dirs_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -##manage_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -#read_files_pattern(ossec_syscheckd_t, ossec_log_t, ossec_log_t) -###delete_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -###allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms }; -#logging_log_filetrans(ossec_syscheckd_t, ossec_log_t, file) # dgram socket allow ossec_syscheckd_t self:unix_dgram_socket { create bind getopt connect write }; @@ -457,7 +378,6 @@ allow ossec_syscheckd_t ossec_analysisd_t:unix_dgram_socket { sendto }; # Sockets allow ossec_syscheckd_t self:udp_socket { create connect read write bind }; allow ossec_syscheckd_t self:tcp_socket { create connect read write }; -#allow ossec_d_t smtp_port_t:tcp_socket { name_connect }; # all the things files_read_all_files(ossec_syscheckd_t) @@ -474,30 +394,18 @@ allow ossec_monitord_t self:capability { dac_override dac_read_search setuid set # etc dir ossec_read_config(ossec_monitord_t) -# var dir -#search_dirs_pattern(ossec_monitord_t, ossec_var_t, ossec_var_t) - # var run dir allow ossec_monitord_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; ossec_pid_filetrans(ossec_monitord_t, ossec_var_run_t, file) # queue dir search_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t) -##rw_dirs_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) -#rw_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t) read_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t) manage_sock_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t) # logs allow ossec_monitord_t ossec_log_t:file { create_file_perms append_file_perms read }; ossec_log_filetrans(ossec_monitord_t, ossec_log_t, file) -#rw_dirs_pattern(ossec_monitord_t, ossec_log_t, ossec_log_t) -##add_entry_dirs_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -##manage_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -#rw_files_pattern(ossec_monitord_t, ossec_log_t, ossec_log_t) -###delete_files_pattern(ossec_analysisd_t, ossec_log_t, ossec_log_t) -###allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms }; -#logging_log_filetrans(ossec_monitord_t, ossec_log_t, file) # dgram socket allow ossec_monitord_t self:unix_dgram_socket { create bind getopt connect write };