From aeb1ee4e6bdfa1484778589d19d813e91542699f Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Wed, 25 Nov 2015 10:49:08 -0500 Subject: [PATCH] Lots of cleanup, interfaces. --- ossec.fc | 4 +- ossec.if | 120 ++++++++++++++++++++++++++++++++++++++----------------- ossec.te | 120 ++++++++++++++----------------------------------------- 3 files changed, 118 insertions(+), 126 deletions(-) diff --git a/ossec.fc b/ossec.fc index ad573c3..dfe7593 100644 --- a/ossec.fc +++ b/ossec.fc @@ -21,7 +21,9 @@ /var/ossec/tmp(/.*)? gen_context(system_u:object_r:ossec_tmp_t,s0) /var/ossec/etc(/.*)? gen_context(system_u:object_r:ossec_etc_t,s0) -/var/ossec/etc/shared(/.*)? gen_context(system_u:object_r:ossec_etc_share_t,s0) +/var/ossec/etc/shared/ar\.conf -- gen_context(system_u:object_r:ossec_analysisd_configfile_t,s0) +/var/ossec/etc/shared/merged\.mg -- gen_context(system_u:object_r:ossec_remoted_configfile_t,s0) +#/var/ossec/etc/shared(/.*)? gen_context(system_u:object_r:ossec_etc_share_t,s0) /var/ossec/rules(/.*)? gen_context(system_u:object_r:ossec_rule_t,s0) #/var/ossec/active-response/bin(/.*)? -- gen_context(system_u:object_r:ossec_script_exec_t,s0) diff --git a/ossec.if b/ossec.if index c610bf4..fd315fe 100644 --- a/ossec.if +++ b/ossec.if @@ -52,13 +52,18 @@ interface(`ossec_domtrans',` ## ## # -interface(`ossec_read_log',` +interface(`ossec_read_logs',` gen_require(` + type var_t; type ossec_log_t; ') - logging_search_logs($1) - allow $1 ossec_log_t:file read_file_perms; + allow $1 var_t:dir search_dir_perms; + #read_files_pattern($1, ossec_log_t, ossec_log_t) + read_files_pattern($1, ossec_log_t, logfile) + #allow $1 ossec_log_t:dir search_dir_perms + #logging_search_logs($1) + #allow $1 ossec_log_t:file read_file_perms; ') ######################################## @@ -71,54 +76,62 @@ interface(`ossec_read_log',` ## ## # -interface(`ossec_write_log',` - gen_require(` - type ossec_log_t; - ') - - allow $1 ossec_log_t:file write; -') - +#interface(`ossec_write_log',` +# gen_require(` +# type ossec_log_t; +# ') +# +# allow $1 ossec_log_t:file write; +#') interface(`ossec_read_config',` gen_require(` + type var_t; type ossec_etc_t; ') - search_dirs_pattern($1, ossec_etc_t, ossec_etc_t) - read_lnk_files_pattern($1, ossec_etc_t, ossec_etc_t) - read_files_pattern($1, ossec_etc_t, ossec_etc_t) - sysnet_read_config($1) + allow $1 var_t:dir search_dir_perms; + #allow $1 ossec_etc_t:dir search_dir_perms; + read_lnk_files_pattern($1, ossec_etc_t, configfile) + files_read_config_files($1, ossec_etc_t) ') -interface(`ossec_read_etc_shared',` - gen_require(` - type ossec_etc_t; - type ossec_etc_share_t; - ') +#interface(`ossec_read_shared_config',` +# gen_require(` +# type var_t; +# type ossec_etc_t; +# #type ossec_etc_share_t; +# ') +# +# allow $1 var_t:dir search_dir_perms; +# allow $1 ossec_etc_t:dir search_dir_perms; +# #allow $1 ossec_etc_share_t:dir search_dir_perms; +# allow $1 ossec_etc_share_t:file read_file_perms; +# #allow $1 ossec_analysisd_file_t:file read_file_perms; +# #search_dirs_pattern($1, ossec_etc_t, ossec_etc_t) +# #search_dirs_pattern($1, ossec_etc_share_t, ossec_etc_share_t) +# #read_files_pattern($1, ossec_etc_share_t, ossec_etc_share_t) +#') - search_dirs_pattern($1, ossec_etc_t, ossec_etc_t) - search_dirs_pattern($1, ossec_etc_share_t, ossec_etc_share_t) - read_files_pattern($1, ossec_etc_share_t, ossec_etc_share_t) -') - -interface(`ossec_manage_etc_shared',` - gen_require(` - type ossec_etc_t; - type ossec_etc_share_t; - ') - - search_dirs_pattern($1, ossec_etc_t, ossec_etc_t) - search_dirs_pattern($1, ossec_etc_share_t, ossec_etc_share_t) - manage_files_pattern($1, ossec_etc_share_t, ossec_etc_share_t) -') +#interface(`ossec_manage_shared_config',` +# gen_require(` +# type ossec_etc_t; +# type ossec_etc_share_t; +# ') +# +# search_dirs_pattern($1, ossec_etc_t, ossec_etc_t) +# search_dirs_pattern($1, ossec_etc_share_t, ossec_etc_share_t) +# manage_files_pattern($1, ossec_etc_share_t, ossec_etc_share_t) +#') interface(`ossec_pid_filetrans',` gen_require(` + type var_t; type ossec_var_t, ossec_var_run_t; ') + allow $1 var_t:dir search_dir_perms; allow $1 ossec_var_t:dir search_dir_perms; allow $1 ossec_var_run_t:lnk_file read_lnk_file_perms; filetrans_pattern($1, ossec_var_run_t, $2, $3, $4) @@ -126,9 +139,44 @@ interface(`ossec_pid_filetrans',` interface(`ossec_log_filetrans',` gen_require(` - type ossec_log_t; + type var_t; + type ossec_var_t, ossec_log_t; ') + allow $1 var_t:dir search_dir_perms; + allow $1 ossec_log_t:dir search_dir_perms; filetrans_pattern($1, ossec_log_t, $2, $3, $4) ') +interface(`ossec_read_stats',` + gen_require(` + type var_t; + type ossec_stats_t; + ') + + allow $1 var_t:dir search_dir_perms; + read_files_pattern($1, ossec_stats_t, ossec_stats_t) +') + +interface(`ossec_manage_stats',` + gen_require(` + type var_t; + type ossec_stats_t; + ') + + allow $1 var_t:dir search_dir_perms; + append_files_pattern($1, ossec_stats_t, ossec_stats_t) +') + +interface(`ossec_read_queue',` + gen_require(` + type var_t; + type ossec_queue_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 ossec_queue_t:dir list_dir_perms; + allow $1 ossec_queue_t:file read_file_perms; + #read_files_pattern($1, ossec_queue_t, ossec_queue_t) +') + diff --git a/ossec.te b/ossec.te index 8e79580..c165c24 100644 --- a/ossec.te +++ b/ossec.te @@ -1,5 +1,5 @@ -policy_module(ossec,1.0.186) +policy_module(ossec,1.0.201) ######################################## # @@ -30,6 +30,8 @@ files_type(ossec_execd_journal_t) type ossec_analysisd_t; type ossec_analysisd_exec_t; init_daemon_domain(ossec_analysisd_t, ossec_analysisd_exec_t) +type ossec_analysisd_configfile_t; +files_config_file(ossec_analysisd_configfile_t); # ossec-logcollector daemon type ossec_logcollector_t; @@ -40,6 +42,9 @@ init_daemon_domain(ossec_logcollector_t, ossec_logcollector_exec_t) type ossec_remoted_t; type ossec_remoted_exec_t; init_daemon_domain(ossec_remoted_t, ossec_remoted_exec_t) +type ossec_remoted_configfile_t; +files_config_file(ossec_remoted_configfile_t); + # ossec-syscheckd daemon type ossec_syscheckd_t; @@ -70,11 +75,6 @@ init_daemon_domain(ossec_agentlessd_t, ossec_agentlessd_exec_t) type ossec_initrc_exec_t; init_script_file(ossec_initrc_exec_t) -#optional_policy(` -# ossec_domtrans(httpd_t) -#') - -# ossec var dir type ossec_var_t; files_type(ossec_var_t) @@ -94,10 +94,6 @@ logging_log_file(ossec_log_t) type ossec_etc_t; files_config_file(ossec_etc_t) -# ossec etc share dir -type ossec_etc_share_t; -files_config_file(ossec_etc_share_t) - # ossec rules dir type ossec_rule_t; files_config_file(ossec_rule_t) @@ -128,48 +124,8 @@ unconfined_domain(ossec_ar_t) ### require { - #type ossec_bin_t; - - #type ossec_maild_t; - #type ossec_maild_exec_t; - #type ossec_execd_t; - #type ossec_execd_exec_t; - #type ossec_analysisd_t; - #type ossec_analysisd_exec_t; - #type ossec_logcollector_t; - #type ossec_logcollector_exec_t; - #type ossec_remoted_t; - #type ossec_remoted_exec_t; - #type ossec_syscheckd_t; - #type ossec_syscheckd_exec_t; - #type ossec_monitord_t; - #type ossec_monitord_exec_t; - #type ossec_dbd_t; - #type ossec_dbd_exec_t; - #type ossec_csyslogd_t; - #type ossec_csyslogd_exec_t; - #type ossec_agentlessd_t; - #type ossec_agentlessd_exec_t; - - #type ossec_var_t; - #type ossec_tmp_t; - #type ossec_log_t; - #type ossec_etc_t; - #type ossec_rule_t; - #type ossec_stats_t; - #type ossec_queue_t; - - #type ossec_ar_t; - #type ossec_ar_bin_t; - #type ossec_ar_exec_t; - - #type var_log_t; type httpd_t; - #type httpd_log_t; - #type unreserved_port_t; - #type smtp_port_t; - #type node_t; - #type shell_exec_t; + class file { rename read lock create write getattr unlink open append entrypoint }; class dir { write getattr read remove_name create add_name }; class process { setsched transition rlimitinh siginh noatsecure }; @@ -193,9 +149,10 @@ allow ossec_maild_t self:capability { dac_override dac_read_search setuid setgid # etc dir ossec_read_config(ossec_maild_t) +sysnet_read_config(ossec_maild_t) # var run dir -allow ossec_maild_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; +allow ossec_maild_t ossec_var_run_t:file manage_file_perms; ossec_pid_filetrans(ossec_maild_t, ossec_var_run_t, file) # logs @@ -205,8 +162,6 @@ ossec_log_filetrans(ossec_maild_t, ossec_log_t, file) # Sockets allow ossec_maild_t self:tcp_socket create_socket_perms; corenet_tcp_connect_smtp_port(ossec_maild_t) -#allow ossec_maild_t self:tcp_socket { create connect read write }; -#allow ossec_maild_t smtp_port_t:tcp_socket { name_connect }; #============= ossec_execd_t ============== @@ -217,10 +172,7 @@ allow ossec_execd_t self:capability { dac_override dac_read_search setgid }; # etc dir ossec_read_config(ossec_execd_t) - -# etc share dir -search_dirs_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t) -read_files_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t) +sysnet_read_config(ossec_execd_t) #allow ossec_execd_t ossec_var_t:dir { write add_name }; allow ossec_execd_t ossec_execd_file_t:file { create_file_perms rw_file_perms }; @@ -228,7 +180,6 @@ allow ossec_execd_t ossec_execd_journal_t:file manage_file_perms; filetrans_pattern(ossec_execd_t, ossec_var_t, ossec_execd_journal_t, file, "execd.sqlite-journal"); # var run dir -#allow ossec_execd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; allow ossec_execd_t ossec_var_run_t:file manage_file_perms; ossec_pid_filetrans(ossec_execd_t, ossec_var_run_t, file) @@ -242,7 +193,6 @@ ossec_log_filetrans(ossec_execd_t, ossec_log_t, file) # active-response scripts search_dirs_pattern(ossec_execd_t, ossec_ar_bin_t, ossec_ar_bin_t) -#exec_files_pattern(ossec_execd_t, shell_exec_t, shell_exec_t) corecmd_exec_shell(ossec_execd_t) # dgram socket @@ -263,13 +213,11 @@ allow ossec_analysisd_t self:capability { dac_override dac_read_search fsetid se # etc dir ossec_read_config(ossec_analysisd_t) - -# etc share dir -search_dirs_pattern(ossec_analysisd_t, ossec_etc_share_t, ossec_etc_share_t) -manage_files_pattern(ossec_analysisd_t, ossec_etc_share_t, ossec_etc_share_t) +sysnet_read_config(ossec_analysisd_t) +manage_files_pattern(ossec_analysisd_t, ossec_etc_t, ossec_analysisd_configfile_t) # var run dir -allow ossec_analysisd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; +allow ossec_analysisd_t ossec_var_run_t:file manage_file_perms; ossec_pid_filetrans(ossec_analysisd_t, ossec_var_run_t, file) # queue dir @@ -278,10 +226,13 @@ rw_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) # stats dir -rw_dirs_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) -rw_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) -create_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) +allow ossec_analysisd_t ossec_stats_t:file read_file_perms; +#ossec_manage_stats(ossec_analysisd_t) +#rw_dirs_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) +#rw_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) +#create_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) +#append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) # logs allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms read link unlink }; @@ -304,9 +255,10 @@ allow ossec_logcollector_t self:capability { dac_override dac_read_search }; # etc dir ossec_read_config(ossec_logcollector_t) +sysnet_read_config(ossec_logcollector_t) # var run dir -allow ossec_logcollector_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; +allow ossec_logcollector_t ossec_var_run_t:file manage_file_perms; ossec_pid_filetrans(ossec_logcollector_t, ossec_var_run_t, file) # queue dir @@ -336,14 +288,11 @@ allow ossec_remoted_t self:capability { dac_override dac_read_search setuid setg # etc dir ossec_read_config(ossec_remoted_t) - -# etc share dir -search_dirs_pattern(ossec_remoted_t, ossec_etc_share_t, ossec_etc_share_t) -read_files_pattern(ossec_remoted_t, ossec_etc_share_t, ossec_etc_share_t) -manage_files_pattern(ossec_remoted_t, ossec_etc_share_t, ossec_etc_share_t) +sysnet_read_config(ossec_remoted_t) +manage_files_pattern(ossec_remoted_t, ossec_etc_t, ossec_remoted_configfile_t) # var run dir -allow ossec_remoted_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; +allow ossec_remoted_t ossec_var_run_t:file manage_file_perms; ossec_pid_filetrans(ossec_remoted_t, ossec_var_run_t, file) # queue dir @@ -359,10 +308,6 @@ ossec_log_filetrans(ossec_remoted_t, ossec_log_t, file) allow ossec_remoted_t self:udp_socket create_stream_socket_perms; corenet_udp_bind_all_unreserved_ports(ossec_remoted_t) corenet_udp_bind_generic_node(ossec_remoted_t) -#allow ossec_remoted_t self:udp_socket { create bind read write }; -#allow ossec_remoted_t unreserved_port_t:udp_socket { name_bind }; -#allow ossec_remoted_t node_t:udp_socket { node_bind }; - #allow ossec_remoted_t self:tcp_socket { create bind }; # dgram socket @@ -378,9 +323,10 @@ allow ossec_syscheckd_t self:process { setsched }; # etc dir ossec_read_config(ossec_syscheckd_t) +sysnet_read_config(ossec_syscheckd_t) # var run dir -allow ossec_syscheckd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; +allow ossec_syscheckd_t ossec_var_run_t:file manage_file_perms; ossec_pid_filetrans(ossec_syscheckd_t, ossec_var_run_t, file) # queue dir @@ -413,9 +359,10 @@ allow ossec_monitord_t self:capability { dac_override dac_read_search setuid set # etc dir ossec_read_config(ossec_monitord_t) +sysnet_read_config(ossec_monitord_t) # var run dir -allow ossec_monitord_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink }; +allow ossec_monitord_t ossec_var_run_t:file manage_file_perms; ossec_pid_filetrans(ossec_monitord_t, ossec_var_run_t, file) # queue dir @@ -434,12 +381,7 @@ allow ossec_monitord_t ossec_analysisd_t:unix_dgram_socket { sendto }; #============= httpd_t ============== -allow httpd_t ossec_log_t:dir { read }; -allow httpd_t ossec_log_t:file { open read getattr }; - -allow httpd_t ossec_queue_t:dir { read }; -allow httpd_t ossec_queue_t:file { open read getattr }; - -allow httpd_t ossec_stats_t:dir { read }; -allow httpd_t ossec_stats_t:file { open read getattr }; +ossec_read_logs(httpd_t) +ossec_read_queue(httpd_t) +ossec_read_stats(httpd_t)