From aeb1ee4e6bdfa1484778589d19d813e91542699f Mon Sep 17 00:00:00 2001
From: Eric Renfro <psi-jack@linux-help.org>
Date: Wed, 25 Nov 2015 10:49:08 -0500
Subject: [PATCH] Lots of cleanup, interfaces.

---
 ossec.fc |   4 +-
 ossec.if | 120 ++++++++++++++++++++++++++++++++++++++-----------------
 ossec.te | 120 ++++++++++++++-----------------------------------------
 3 files changed, 118 insertions(+), 126 deletions(-)

diff --git a/ossec.fc b/ossec.fc
index ad573c3..dfe7593 100644
--- a/ossec.fc
+++ b/ossec.fc
@@ -21,7 +21,9 @@
 /var/ossec/tmp(/.*)?                      gen_context(system_u:object_r:ossec_tmp_t,s0)
 
 /var/ossec/etc(/.*)?                      gen_context(system_u:object_r:ossec_etc_t,s0)
-/var/ossec/etc/shared(/.*)?               gen_context(system_u:object_r:ossec_etc_share_t,s0)
+/var/ossec/etc/shared/ar\.conf         -- gen_context(system_u:object_r:ossec_analysisd_configfile_t,s0)
+/var/ossec/etc/shared/merged\.mg       -- gen_context(system_u:object_r:ossec_remoted_configfile_t,s0)
+#/var/ossec/etc/shared(/.*)?               gen_context(system_u:object_r:ossec_etc_share_t,s0)
 /var/ossec/rules(/.*)?                    gen_context(system_u:object_r:ossec_rule_t,s0)
 
 #/var/ossec/active-response/bin(/.*)? --   gen_context(system_u:object_r:ossec_script_exec_t,s0)
diff --git a/ossec.if b/ossec.if
index c610bf4..fd315fe 100644
--- a/ossec.if
+++ b/ossec.if
@@ -52,13 +52,18 @@ interface(`ossec_domtrans',`
 ##      </summary>
 ## </param>
 #
-interface(`ossec_read_log',`
+interface(`ossec_read_logs',`
         gen_require(`
+                type var_t;
                 type ossec_log_t;
         ')
 
-        logging_search_logs($1)
-        allow $1 ossec_log_t:file read_file_perms;
+        allow $1 var_t:dir search_dir_perms;
+        #read_files_pattern($1, ossec_log_t, ossec_log_t)
+        read_files_pattern($1, ossec_log_t, logfile)
+        #allow $1 ossec_log_t:dir search_dir_perms
+        #logging_search_logs($1)
+        #allow $1 ossec_log_t:file read_file_perms;
 ')
 
 ########################################
@@ -71,54 +76,62 @@ interface(`ossec_read_log',`
 ##      </summary>
 ## </param>
 #
-interface(`ossec_write_log',`
-        gen_require(`
-                type ossec_log_t;
-        ')
-
-        allow $1 ossec_log_t:file write;
-')
-
+#interface(`ossec_write_log',`
+#        gen_require(`
+#                type ossec_log_t;
+#        ')
+#
+#        allow $1 ossec_log_t:file write;
+#')
 
 
 interface(`ossec_read_config',`
 	gen_require(`
+        type var_t;
 		type ossec_etc_t;
 	')
 
-	search_dirs_pattern($1, ossec_etc_t, ossec_etc_t)
-	read_lnk_files_pattern($1, ossec_etc_t, ossec_etc_t)
-	read_files_pattern($1, ossec_etc_t, ossec_etc_t)
-	sysnet_read_config($1)
+    allow $1 var_t:dir search_dir_perms;
+    #allow $1 ossec_etc_t:dir search_dir_perms;
+	read_lnk_files_pattern($1, ossec_etc_t, configfile)
+    files_read_config_files($1, ossec_etc_t)
 ')
 
-interface(`ossec_read_etc_shared',`
-	gen_require(`
-		type ossec_etc_t;
-		type ossec_etc_share_t;
-	')
+#interface(`ossec_read_shared_config',`
+#	gen_require(`
+#        type var_t;
+#		type ossec_etc_t;
+#		#type ossec_etc_share_t;
+#	')
+#
+#	allow $1 var_t:dir search_dir_perms;
+#    allow $1 ossec_etc_t:dir search_dir_perms;
+#    #allow $1 ossec_etc_share_t:dir search_dir_perms;
+#    allow $1 ossec_etc_share_t:file read_file_perms;
+#    #allow $1 ossec_analysisd_file_t:file read_file_perms;
+#	#search_dirs_pattern($1, ossec_etc_t, ossec_etc_t)
+#	#search_dirs_pattern($1, ossec_etc_share_t, ossec_etc_share_t)
+#	#read_files_pattern($1, ossec_etc_share_t, ossec_etc_share_t)
+#')
 
-	search_dirs_pattern($1, ossec_etc_t, ossec_etc_t)
-	search_dirs_pattern($1, ossec_etc_share_t, ossec_etc_share_t)
-	read_files_pattern($1, ossec_etc_share_t, ossec_etc_share_t)
-')
-
-interface(`ossec_manage_etc_shared',`
-	gen_require(`
-		type ossec_etc_t;
-		type ossec_etc_share_t;
-	')
-
-	search_dirs_pattern($1, ossec_etc_t, ossec_etc_t)
-	search_dirs_pattern($1, ossec_etc_share_t, ossec_etc_share_t)
-	manage_files_pattern($1, ossec_etc_share_t, ossec_etc_share_t)
-')
+#interface(`ossec_manage_shared_config',`
+#	gen_require(`
+#		type ossec_etc_t;
+#		type ossec_etc_share_t;
+#	')
+#
+#	search_dirs_pattern($1, ossec_etc_t, ossec_etc_t)
+#	search_dirs_pattern($1, ossec_etc_share_t, ossec_etc_share_t)
+#	manage_files_pattern($1, ossec_etc_share_t, ossec_etc_share_t)
+#')
 
 interface(`ossec_pid_filetrans',`
 	gen_require(`
+        type var_t;
 		type ossec_var_t, ossec_var_run_t;
 	')
 
+    allow $1 var_t:dir search_dir_perms;
 	allow $1 ossec_var_t:dir search_dir_perms;
 	allow $1 ossec_var_run_t:lnk_file read_lnk_file_perms;
 	filetrans_pattern($1, ossec_var_run_t, $2, $3, $4)
@@ -126,9 +139,44 @@ interface(`ossec_pid_filetrans',`
 
 interface(`ossec_log_filetrans',`
 	gen_require(`
-		type ossec_log_t;
+        type var_t;
+		type ossec_var_t, ossec_log_t;
 	')
 
+    allow $1 var_t:dir search_dir_perms;
+	allow $1 ossec_log_t:dir search_dir_perms;
 	filetrans_pattern($1, ossec_log_t, $2, $3, $4)
 ')
 
+interface(`ossec_read_stats',`
+    gen_require(`
+        type var_t;
+        type ossec_stats_t;
+    ')
+
+    allow $1 var_t:dir search_dir_perms;
+    read_files_pattern($1, ossec_stats_t, ossec_stats_t)
+')
+
+interface(`ossec_manage_stats',`
+    gen_require(`
+        type var_t;
+        type ossec_stats_t;
+    ')
+
+    allow $1 var_t:dir search_dir_perms;
+    append_files_pattern($1, ossec_stats_t, ossec_stats_t)
+')
+
+interface(`ossec_read_queue',`
+    gen_require(`
+        type var_t;
+        type ossec_queue_t;
+    ')
+
+    allow $1 var_t:dir search_dir_perms;
+    allow $1 ossec_queue_t:dir list_dir_perms;
+    allow $1 ossec_queue_t:file read_file_perms;
+    #read_files_pattern($1, ossec_queue_t, ossec_queue_t)
+')
+
diff --git a/ossec.te b/ossec.te
index 8e79580..c165c24 100644
--- a/ossec.te
+++ b/ossec.te
@@ -1,5 +1,5 @@
 
-policy_module(ossec,1.0.186)
+policy_module(ossec,1.0.201)
 
 ########################################
 #
@@ -30,6 +30,8 @@ files_type(ossec_execd_journal_t)
 type ossec_analysisd_t;
 type ossec_analysisd_exec_t;
 init_daemon_domain(ossec_analysisd_t, ossec_analysisd_exec_t)
+type ossec_analysisd_configfile_t;
+files_config_file(ossec_analysisd_configfile_t);
 
 # ossec-logcollector daemon
 type ossec_logcollector_t;
@@ -40,6 +42,9 @@ init_daemon_domain(ossec_logcollector_t, ossec_logcollector_exec_t)
 type ossec_remoted_t;
 type ossec_remoted_exec_t;
 init_daemon_domain(ossec_remoted_t, ossec_remoted_exec_t)
+type ossec_remoted_configfile_t;
+files_config_file(ossec_remoted_configfile_t);
+
 
 # ossec-syscheckd daemon
 type ossec_syscheckd_t;
@@ -70,11 +75,6 @@ init_daemon_domain(ossec_agentlessd_t, ossec_agentlessd_exec_t)
 type ossec_initrc_exec_t;
 init_script_file(ossec_initrc_exec_t)
 
-#optional_policy(`
-#        ossec_domtrans(httpd_t)
-#')
-
-# ossec var dir
 type ossec_var_t;
 files_type(ossec_var_t)
 
@@ -94,10 +94,6 @@ logging_log_file(ossec_log_t)
 type ossec_etc_t;
 files_config_file(ossec_etc_t)
 
-# ossec etc share dir
-type ossec_etc_share_t;
-files_config_file(ossec_etc_share_t)
-
 # ossec rules dir
 type ossec_rule_t;
 files_config_file(ossec_rule_t)
@@ -128,48 +124,8 @@ unconfined_domain(ossec_ar_t)
 ###
 
 require {
-	#type ossec_bin_t;
-
-	#type ossec_maild_t;
-	#type ossec_maild_exec_t;
-	#type ossec_execd_t;
-	#type ossec_execd_exec_t;
-	#type ossec_analysisd_t;
-	#type ossec_analysisd_exec_t;
-	#type ossec_logcollector_t;
-	#type ossec_logcollector_exec_t;
-	#type ossec_remoted_t;
-	#type ossec_remoted_exec_t;
-	#type ossec_syscheckd_t;
-	#type ossec_syscheckd_exec_t;
-	#type ossec_monitord_t;
-	#type ossec_monitord_exec_t;
-	#type ossec_dbd_t;
-	#type ossec_dbd_exec_t;
-	#type ossec_csyslogd_t;
-	#type ossec_csyslogd_exec_t;
-	#type ossec_agentlessd_t;
-	#type ossec_agentlessd_exec_t;
-	
-	#type ossec_var_t;
-	#type ossec_tmp_t;
-	#type ossec_log_t;
-	#type ossec_etc_t;
-	#type ossec_rule_t;
-	#type ossec_stats_t;
-	#type ossec_queue_t;
-
-	#type ossec_ar_t;
-	#type ossec_ar_bin_t;
-	#type ossec_ar_exec_t;
-
-	#type var_log_t;
 	type httpd_t;
-	#type httpd_log_t;
-	#type unreserved_port_t;
-	#type smtp_port_t;
-	#type node_t;
-	#type shell_exec_t;
+
 	class file { rename read lock create write getattr unlink open append entrypoint };
 	class dir { write getattr read remove_name create add_name };
 	class process { setsched transition rlimitinh siginh noatsecure };
@@ -193,9 +149,10 @@ allow ossec_maild_t self:capability { dac_override dac_read_search setuid setgid
 
 # etc dir
 ossec_read_config(ossec_maild_t)
+sysnet_read_config(ossec_maild_t)
 
 # var run dir
-allow ossec_maild_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink };
+allow ossec_maild_t ossec_var_run_t:file manage_file_perms;
 ossec_pid_filetrans(ossec_maild_t, ossec_var_run_t, file)
 
 # logs
@@ -205,8 +162,6 @@ ossec_log_filetrans(ossec_maild_t, ossec_log_t, file)
 # Sockets
 allow ossec_maild_t self:tcp_socket create_socket_perms;
 corenet_tcp_connect_smtp_port(ossec_maild_t)
-#allow ossec_maild_t self:tcp_socket { create connect read write };
-#allow ossec_maild_t smtp_port_t:tcp_socket { name_connect };
 
 
 #============= ossec_execd_t ==============
@@ -217,10 +172,7 @@ allow ossec_execd_t self:capability { dac_override dac_read_search setgid };
 
 # etc dir
 ossec_read_config(ossec_execd_t)
-
-# etc share dir
-search_dirs_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t)
-read_files_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t)
+sysnet_read_config(ossec_execd_t)
 
 #allow ossec_execd_t ossec_var_t:dir { write add_name };
 allow ossec_execd_t ossec_execd_file_t:file { create_file_perms rw_file_perms };
@@ -228,7 +180,6 @@ allow ossec_execd_t ossec_execd_journal_t:file manage_file_perms;
 filetrans_pattern(ossec_execd_t, ossec_var_t, ossec_execd_journal_t, file, "execd.sqlite-journal");
 
 # var run dir
-#allow ossec_execd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink };
 allow ossec_execd_t ossec_var_run_t:file manage_file_perms;
 ossec_pid_filetrans(ossec_execd_t, ossec_var_run_t, file)
 
@@ -242,7 +193,6 @@ ossec_log_filetrans(ossec_execd_t, ossec_log_t, file)
 
 # active-response scripts
 search_dirs_pattern(ossec_execd_t, ossec_ar_bin_t, ossec_ar_bin_t)
-#exec_files_pattern(ossec_execd_t, shell_exec_t, shell_exec_t)
 corecmd_exec_shell(ossec_execd_t)
 
 # dgram socket
@@ -263,13 +213,11 @@ allow ossec_analysisd_t self:capability { dac_override dac_read_search fsetid se
 
 # etc dir
 ossec_read_config(ossec_analysisd_t)
-
-# etc share dir
-search_dirs_pattern(ossec_analysisd_t, ossec_etc_share_t, ossec_etc_share_t)
-manage_files_pattern(ossec_analysisd_t, ossec_etc_share_t, ossec_etc_share_t)
+sysnet_read_config(ossec_analysisd_t)
+manage_files_pattern(ossec_analysisd_t, ossec_etc_t, ossec_analysisd_configfile_t)
 
 # var run dir
-allow ossec_analysisd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink };
+allow ossec_analysisd_t ossec_var_run_t:file manage_file_perms;
 ossec_pid_filetrans(ossec_analysisd_t, ossec_var_run_t, file)
 
 # queue dir
@@ -278,10 +226,13 @@ rw_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
 manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
 
 # stats dir
-rw_dirs_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
-rw_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
-create_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
 append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
+allow ossec_analysisd_t ossec_stats_t:file read_file_perms;
+#ossec_manage_stats(ossec_analysisd_t)
+#rw_dirs_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
+#rw_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
+#create_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
+#append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
 
 # logs
 allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms read link unlink };
@@ -304,9 +255,10 @@ allow ossec_logcollector_t self:capability { dac_override dac_read_search };
 
 # etc dir
 ossec_read_config(ossec_logcollector_t)
+sysnet_read_config(ossec_logcollector_t)
 
 # var run dir
-allow ossec_logcollector_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink };
+allow ossec_logcollector_t ossec_var_run_t:file manage_file_perms;
 ossec_pid_filetrans(ossec_logcollector_t, ossec_var_run_t, file)
 
 # queue dir
@@ -336,14 +288,11 @@ allow ossec_remoted_t self:capability { dac_override dac_read_search setuid setg
 
 # etc dir
 ossec_read_config(ossec_remoted_t)
-
-# etc share dir
-search_dirs_pattern(ossec_remoted_t, ossec_etc_share_t, ossec_etc_share_t)
-read_files_pattern(ossec_remoted_t, ossec_etc_share_t, ossec_etc_share_t)
-manage_files_pattern(ossec_remoted_t, ossec_etc_share_t, ossec_etc_share_t)
+sysnet_read_config(ossec_remoted_t)
+manage_files_pattern(ossec_remoted_t, ossec_etc_t, ossec_remoted_configfile_t)
 
 # var run dir
-allow ossec_remoted_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink };
+allow ossec_remoted_t ossec_var_run_t:file manage_file_perms;
 ossec_pid_filetrans(ossec_remoted_t, ossec_var_run_t, file)
 
 # queue dir
@@ -359,10 +308,6 @@ ossec_log_filetrans(ossec_remoted_t, ossec_log_t, file)
 allow ossec_remoted_t self:udp_socket create_stream_socket_perms;
 corenet_udp_bind_all_unreserved_ports(ossec_remoted_t)
 corenet_udp_bind_generic_node(ossec_remoted_t)
-#allow ossec_remoted_t self:udp_socket { create bind read write };
-#allow ossec_remoted_t unreserved_port_t:udp_socket { name_bind };
-#allow ossec_remoted_t node_t:udp_socket { node_bind };
-
 #allow ossec_remoted_t self:tcp_socket { create bind };
 
 # dgram socket
@@ -378,9 +323,10 @@ allow ossec_syscheckd_t self:process { setsched };
 
 # etc dir
 ossec_read_config(ossec_syscheckd_t)
+sysnet_read_config(ossec_syscheckd_t)
 
 # var run dir
-allow ossec_syscheckd_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink };
+allow ossec_syscheckd_t ossec_var_run_t:file manage_file_perms;
 ossec_pid_filetrans(ossec_syscheckd_t, ossec_var_run_t, file)
 
 # queue dir
@@ -413,9 +359,10 @@ allow ossec_monitord_t self:capability { dac_override dac_read_search setuid set
 
 # etc dir
 ossec_read_config(ossec_monitord_t)
+sysnet_read_config(ossec_monitord_t)
 
 # var run dir
-allow ossec_monitord_t ossec_var_run_t:file { create_file_perms write_file_perms setattr read unlink };
+allow ossec_monitord_t ossec_var_run_t:file manage_file_perms;
 ossec_pid_filetrans(ossec_monitord_t, ossec_var_run_t, file)
 
 # queue dir
@@ -434,12 +381,7 @@ allow ossec_monitord_t ossec_analysisd_t:unix_dgram_socket { sendto };
 
 #============= httpd_t ==============
 
-allow httpd_t ossec_log_t:dir { read };
-allow httpd_t ossec_log_t:file { open read getattr };
-
-allow httpd_t ossec_queue_t:dir { read };
-allow httpd_t ossec_queue_t:file { open read getattr };
-
-allow httpd_t ossec_stats_t:dir { read };
-allow httpd_t ossec_stats_t:file { open read getattr };
+ossec_read_logs(httpd_t)
+ossec_read_queue(httpd_t)
+ossec_read_stats(httpd_t)