Linux-Help/selinux-ossec
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Added full domain for ossec and labels for /var/ossec

Browse source
This commit is contained in:
Eric Renfro 2015-11-21 16:14:31 -05:00
parent 64797a65c1
commit bb86201bef
3 changed files with 146 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
ossec.fc
View file

@ -7,5 +7,17 @@
#/var/log/mlogc(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)
#/var/log/mlogc/data(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)
/var/ossec/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/ossec/logs(/.*)? gen_context(system_u:object_r:ossec_log_t,s0)
/var/ossec/queue(/.*)? gen_context(system_u:object_r:ossec_queue_t,s0)
/var/ossec/stats(/.*)? gen_context(system_u:object_r:ossec_stats_t,s0)
/var/ossec/var(/.*)? gen_context(system_u:object_r:ossec_var_t,s0)
/var/ossec/agentless(/.*)? gen_context(system_u:object_r:ossec_var_t,s0)
/var/ossec/tmp(/.*)? gen_context(system_u:object_r:ossec_tmp_t,s0)
/var/ossec/etc(/.*)? gen_context(system_u:object_r:ossec_etc_t,s0)
/var/ossec/rules(/.*)? gen_context(system_u:object_r:ossec_rule_t,s0)
/var/ossec/bin(/.*)? gen_context(system_u:object_r:ossec_bin_t,s0)
/var/ossec/active-response(/.*)? gen_context(system_u:object_r:ossec_script_t,s0)

82
ossec.if
View file

@ -1 +1,81 @@
## <summary></summary>
## <summary>ossec policy</summary>
## <desc>
## <p>
## More descriptive text about ossec. The desc
## tag can also use p, ul, and ol
## html tags for formatting.
## </p>
## <p>
## This policy supports the following ossec features:
## <ul>
## <li>Feature A</li>
## <li>Feature B</li>
## <li>Feature C</li>
## </ul>
## </p>
## </desc>
#
########################################
## <summary>
## Execute a domain transition to run ossec.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`ossec_domtrans',`
gen_require(`
type ossec_t, ossec_exec_t;
type httpd_t, httpd_exec_t;
role system_r;
')
domain_type(ossec_t)
domain_entry_file(ossec_t, ossec_exec_t)
role system_r types ossec_t;
domtrans_pattern($1, ossec_exec_t, ossec_t)
#domtrans_pattern($1,ossec_exec_t,ossec_t)
')
########################################
## <summary>
## Read ossec log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to read the log files.
## </summary>
## </param>
#
interface(`ossec_read_log',`
gen_require(`
type ossec_log_t;
')
logging_search_logs($1)
allow $1 ossec_log_t:file read_file_perms;
')
########################################
## <summary>
## Write ossec log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to write the log files.
## </summary>
## </param>
#
interface(`ossec_write_log',`
gen_require(`
type ossec_log_t;
')
allow $1 ossec_log_t:file write;
')

53
ossec.te
View file

@ -1,11 +1,62 @@
policy_module(ossec,1.0.1)
policy_module(ossec,1.0.6)
########################################
#
# Declarations
#
type ossec_t;
type ossec_bin_t;
type ossec_exec_t;
role system_r types ossec_t;
domain_type(ossec_t)
domain_entry_file(ossec_t, ossec_exec_t)
optional_policy(`
ossec_domtrans(httpd_t)
')
type ossec_var_t;
files_type(ossec_var_t)
type ossec_tmp_t;
files_tmp_file(ossec_tmp_t)
type ossec_log_t;
logging_log_file(ossec_log_t)
type ossec_etc_t;
files_config_file(ossec_etc_t)
type ossec_rule_t;
files_config_file(ossec_rule_t)
type ossec_stats_t;
files_type(ossec_stats_t)
type ossec_queue_t;
files_type(ossec_queue_t)
type ossec_script_t;
files_type(ossec_script_t)
require {
type ossec_t;
type ossec_bin_t;
type ossec_exec_t;
type ossec_var_t;
type ossec_tmp_t;
type ossec_log_t;
type ossec_etc_t;
type ossec_rule_t;
type ossec_stats_t;
type ossec_queue_t;
type ossec_script_t;
class file { rename read lock create write getattr unlink open append };
class dir { write getattr read remove_name create add_name };
}
########################################
#