Updated policy to fix syscheckd denials

ossec.if

@@ -222,3 +222,41 @@ interface(`ossec_queue_filetrans',`
     filetrans_pattern($1, ossec_queue_t, $2, $3, $4)
 ')
 
+########################################
+## <summary>
+##      Create objects in the tmp directory
+##      with a private type with a type transition.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="file">
+##      <summary>
+##      Type to which the created node will be transitioned.
+##      </summary>
+## </param>
+## <param name="class">
+##      <summary>
+##      Object class(es) (single or set including {}) for which this
+##      the transition will occur.
+##      </summary>
+## </param>
+## <param name="name" optional="true">
+##      <summary>
+##      The name of the object being created.
+##      </summary>
+## </param>
+#
+interface(`ossec_tmp_filetrans',`
+    gen_require(`
+        type var_t;
+        type ossec_tmp_t;
+    ')
+
+    allow $1 var_t:dir search_dir_perms;
+    allow $1 ossec_tmp_t:dir search_dir_perms;
+    filetrans_pattern($1, ossec_tmp_t, $2, $3, $4)
+')
+

ossec.te

@@ -1,5 +1,5 @@
 
-policy_module(ossec,1.0.239)
+policy_module(ossec,1.0.258)
 
 ########################################
 #
@@ -67,6 +67,10 @@ type ossec_syscheckd_t;
 type ossec_syscheckd_exec_t;
 init_daemon_domain(ossec_syscheckd_t, ossec_syscheckd_exec_t)
 
+#domain_entry_file(ossec_syscheckd_t, shell_exec_t)
+#domtrans_pattern(ossec_syscheckd_t, ossec_ar_exec_t, ossec_ar_t)
+
+
 # ossec-monitord daemon
 type ossec_monitord_t;
 type ossec_monitord_exec_t;
@@ -139,6 +143,7 @@ role system_r types ossec_ar_t;
 unconfined_domain(ossec_ar_t)
 ###
 
+
 require {
 	type httpd_t;
 
@@ -341,6 +346,19 @@ ossec_pid_filetrans(ossec_syscheckd_t, ossec_var_run_t, file)
 # queue dir
 dgram_send_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
 
+allow ossec_syscheckd_t ossec_queue_t:dir { create_dir_perms rw_dir_perms };
+allow ossec_syscheckd_t ossec_queue_t:file { create_file_perms rename_file_perms write_file_perms };
+ossec_queue_filetrans(ossec_syscheckd_t, ossec_queue_t, file)
+#rw_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
+#rename_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
+#create_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
+
+ossec_tmp_filetrans(ossec_syscheckd_t, ossec_tmp_t, lnk_file)
+#manage_files_pattern(ossec_syscheckd_t, ossec_tmp_t, ossec_tmp_t)
+manage_lnk_files_pattern(ossec_syscheckd_t, ossec_tmp_t, ossec_tmp_t)
+#allow ossec_syscheckd_t user_tmp_t:sock_file getattr;
+userdom_search_user_tmp_dirs(ossec_syscheckd_t)
+
 # logs
 allow ossec_syscheckd_t ossec_log_t:file { create_file_perms append_file_perms read };
 ossec_log_filetrans(ossec_syscheckd_t, ossec_log_t, file)
@@ -354,10 +372,20 @@ allow ossec_syscheckd_t self:tcp_socket create_socket_perms;
 #allow ossec_syscheckd_t self:udp_socket { create connect read write bind };
 #allow ossec_syscheckd_t self:tcp_socket { create connect read write };
 
+# exec patterns
+allow ossec_syscheckd_t shell_exec_t:file { exec_file_perms };
+exec_files_pattern(ossec_syscheckd_t, bin_t, bin_t);
+
 # all the things
+#allow ossec_syscheckd_t shell_exec_t:file { exec_file_perms };
+#allow ossec_syscheckd_t bin_t:file { exec_file_perms };
+#allow ossec_syscheckd_t bin_t:file { execute execute_no_trans };
 files_read_all_files(ossec_syscheckd_t)
 files_read_all_symlinks(ossec_syscheckd_t)
+seutil_read_bin_policy(ossec_syscheckd_t)
 kernel_getattr_proc_files(ossec_syscheckd_t)
+#read_sock_files_pattern(ossec_syscheckd_t, tmp_t, tmp_t)
+files_dontaudit_getattr_all_sockets(ossec_syscheckd_t)
 
 
 #============= ossec-monitord_t ==============