From bb86201bef5820fa913d157617d563fe5ccadd57 Mon Sep 17 00:00:00 2001
From: Eric Renfro
Date: Sat, 21 Nov 2015 16:14:31 -0500
Subject: [PATCH] Added full domain for ossec and labels for /var/ossec
---
ossec.fc | 14 +++++++++-
ossec.if | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
ossec.te | 53 +++++++++++++++++++++++++++++++++++-
3 files changed, 146 insertions(+), 3 deletions(-)
diff --git a/ossec.fc b/ossec.fc
index 03d6206..ba5d00c 100644
--- a/ossec.fc
+++ b/ossec.fc
@@ -7,5 +7,17 @@
#/var/log/mlogc(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)
#/var/log/mlogc/data(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)
-/var/ossec/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/var/ossec/logs(/.*)? gen_context(system_u:object_r:ossec_log_t,s0)
+/var/ossec/queue(/.*)? gen_context(system_u:object_r:ossec_queue_t,s0)
+/var/ossec/stats(/.*)? gen_context(system_u:object_r:ossec_stats_t,s0)
+/var/ossec/var(/.*)? gen_context(system_u:object_r:ossec_var_t,s0)
+/var/ossec/agentless(/.*)? gen_context(system_u:object_r:ossec_var_t,s0)
+
+/var/ossec/tmp(/.*)? gen_context(system_u:object_r:ossec_tmp_t,s0)
+
+/var/ossec/etc(/.*)? gen_context(system_u:object_r:ossec_etc_t,s0)
+/var/ossec/rules(/.*)? gen_context(system_u:object_r:ossec_rule_t,s0)
+
+/var/ossec/bin(/.*)? gen_context(system_u:object_r:ossec_bin_t,s0)
+/var/ossec/active-response(/.*)? gen_context(system_u:object_r:ossec_script_t,s0)
diff --git a/ossec.if b/ossec.if
index 3eb6a30..3c830ee 100644
--- a/ossec.if
+++ b/ossec.if
@@ -1 +1,81 @@
-##
+## ossec policy
+##
+##
+## More descriptive text about ossec. The desc
+## tag can also use p, ul, and ol
+## html tags for formatting.
+##
+##
+## This policy supports the following ossec features:
+##
+## - Feature A
+## - Feature B
+## - Feature C
+##
+##
+##
+#
+
+########################################
+##
+## Execute a domain transition to run ossec.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ossec_domtrans',`
+ gen_require(`
+ type ossec_t, ossec_exec_t;
+ type httpd_t, httpd_exec_t;
+ role system_r;
+ ')
+
+ domain_type(ossec_t)
+ domain_entry_file(ossec_t, ossec_exec_t)
+
+ role system_r types ossec_t;
+
+ domtrans_pattern($1, ossec_exec_t, ossec_t)
+ #domtrans_pattern($1,ossec_exec_t,ossec_t)
+')
+
+########################################
+##
+## Read ossec log files.
+##
+##
+##
+## Domain allowed to read the log files.
+##
+##
+#
+interface(`ossec_read_log',`
+ gen_require(`
+ type ossec_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 ossec_log_t:file read_file_perms;
+')
+
+########################################
+##
+## Write ossec log files.
+##
+##
+##
+## Domain allowed to write the log files.
+##
+##
+#
+interface(`ossec_write_log',`
+ gen_require(`
+ type ossec_log_t;
+ ')
+
+ allow $1 ossec_log_t:file write;
+')
+
diff --git a/ossec.te b/ossec.te
index a8f310f..1cc885e 100644
--- a/ossec.te
+++ b/ossec.te
@@ -1,11 +1,62 @@
-policy_module(ossec,1.0.1)
+policy_module(ossec,1.0.6)
########################################
#
# Declarations
#
+type ossec_t;
+type ossec_bin_t;
+type ossec_exec_t;
+role system_r types ossec_t;
+domain_type(ossec_t)
+domain_entry_file(ossec_t, ossec_exec_t)
+
+optional_policy(`
+ ossec_domtrans(httpd_t)
+')
+
+type ossec_var_t;
+files_type(ossec_var_t)
+
+type ossec_tmp_t;
+files_tmp_file(ossec_tmp_t)
+
+type ossec_log_t;
+logging_log_file(ossec_log_t)
+
+type ossec_etc_t;
+files_config_file(ossec_etc_t)
+
+type ossec_rule_t;
+files_config_file(ossec_rule_t)
+
+type ossec_stats_t;
+files_type(ossec_stats_t)
+
+type ossec_queue_t;
+files_type(ossec_queue_t)
+
+type ossec_script_t;
+files_type(ossec_script_t)
+
+require {
+ type ossec_t;
+ type ossec_bin_t;
+ type ossec_exec_t;
+ type ossec_var_t;
+ type ossec_tmp_t;
+ type ossec_log_t;
+ type ossec_etc_t;
+ type ossec_rule_t;
+ type ossec_stats_t;
+ type ossec_queue_t;
+ type ossec_script_t;
+ class file { rename read lock create write getattr unlink open append };
+ class dir { write getattr read remove_name create add_name };
+}
+
########################################
#