Added full domain for ossec and labels for /var/ossec

ossec.fc

@@ -7,5 +7,17 @@
 #/var/log/mlogc(/.*)?                    gen_context(system_u:object_r:mlogc_log_t,s0)
 #/var/log/mlogc/data(/.*)?               gen_context(system_u:object_r:mlogc_log_t,s0)
 
-/var/ossec/logs(/.*)?                     gen_context(system_u:object_r:var_log_t,s0)
+/var/ossec/logs(/.*)?                     gen_context(system_u:object_r:ossec_log_t,s0)
+/var/ossec/queue(/.*)?                    gen_context(system_u:object_r:ossec_queue_t,s0)
+/var/ossec/stats(/.*)?                    gen_context(system_u:object_r:ossec_stats_t,s0)
+/var/ossec/var(/.*)?                      gen_context(system_u:object_r:ossec_var_t,s0)
+/var/ossec/agentless(/.*)?                gen_context(system_u:object_r:ossec_var_t,s0)
+
+/var/ossec/tmp(/.*)?                      gen_context(system_u:object_r:ossec_tmp_t,s0)
+
+/var/ossec/etc(/.*)?                      gen_context(system_u:object_r:ossec_etc_t,s0)
+/var/ossec/rules(/.*)?                    gen_context(system_u:object_r:ossec_rule_t,s0)
+
+/var/ossec/bin(/.*)?                      gen_context(system_u:object_r:ossec_bin_t,s0)
+/var/ossec/active-response(/.*)?          gen_context(system_u:object_r:ossec_script_t,s0)
 

ossec.if

@@ -1 +1,81 @@
-## <summary></summary>
+## <summary>ossec policy</summary>
+## <desc>
+##      <p>
+##              More descriptive text about ossec.  The desc
+##              tag can also use p, ul, and ol
+##              html tags for formatting.
+##      </p>
+##      <p>
+##              This policy supports the following ossec features:
+##              <ul>
+##              <li>Feature A</li>
+##              <li>Feature B</li>
+##              <li>Feature C</li>
+##              </ul>
+##      </p>
+## </desc>
+#
+
+########################################
+## <summary>
+##      Execute a domain transition to run ossec.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`ossec_domtrans',`
+        gen_require(`
+                type ossec_t, ossec_exec_t;
+                type httpd_t, httpd_exec_t;
+                role system_r;
+        ')
+
+        domain_type(ossec_t)
+        domain_entry_file(ossec_t, ossec_exec_t)
+
+        role system_r types ossec_t;
+
+        domtrans_pattern($1, ossec_exec_t, ossec_t)
+        #domtrans_pattern($1,ossec_exec_t,ossec_t)
+')
+
+########################################
+## <summary>
+##      Read ossec log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to read the log files.
+##      </summary>
+## </param>
+#
+interface(`ossec_read_log',`
+        gen_require(`
+                type ossec_log_t;
+        ')
+
+        logging_search_logs($1)
+        allow $1 ossec_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##      Write ossec log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to write the log files.
+##      </summary>
+## </param>
+#
+interface(`ossec_write_log',`
+        gen_require(`
+                type ossec_log_t;
+        ')
+
+        allow $1 ossec_log_t:file write;
+')
+

ossec.te

@@ -1,11 +1,62 @@
 
-policy_module(ossec,1.0.1)
+policy_module(ossec,1.0.6)
 
 ########################################
 #
 # Declarations
 #
 
+type ossec_t;
+type ossec_bin_t;
+type ossec_exec_t;
+role system_r types ossec_t;
+domain_type(ossec_t)
+domain_entry_file(ossec_t, ossec_exec_t)
+
+optional_policy(`
+        ossec_domtrans(httpd_t)
+')
+
+type ossec_var_t;
+files_type(ossec_var_t)
+
+type ossec_tmp_t;
+files_tmp_file(ossec_tmp_t)
+
+type ossec_log_t;
+logging_log_file(ossec_log_t)
+
+type ossec_etc_t;
+files_config_file(ossec_etc_t)
+
+type ossec_rule_t;
+files_config_file(ossec_rule_t)
+
+type ossec_stats_t;
+files_type(ossec_stats_t)
+
+type ossec_queue_t;
+files_type(ossec_queue_t)
+
+type ossec_script_t;
+files_type(ossec_script_t)
+
+require {
+	type ossec_t;
+	type ossec_bin_t;
+	type ossec_exec_t;
+	type ossec_var_t;
+	type ossec_tmp_t;
+	type ossec_log_t;
+	type ossec_etc_t;
+	type ossec_rule_t;
+	type ossec_stats_t;
+	type ossec_queue_t;
+	type ossec_script_t;
+	class file { rename read lock create write getattr unlink open append };
+	class dir { write getattr read remove_name create add_name };
+}
+
 
 ########################################
 #