From c1c499a09cc3eb9997e12d9c518697aa1685f87f Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sat, 30 Jul 2016 16:37:59 -0400 Subject: [PATCH] Updated policy to fix syscheckd denials --- ossec.if | 38 ++++++++++++++++++++++++++++++++++++++ ossec.te | 30 +++++++++++++++++++++++++++++- 2 files changed, 67 insertions(+), 1 deletion(-) diff --git a/ossec.if b/ossec.if index aa81784..14fc3d0 100644 --- a/ossec.if +++ b/ossec.if @@ -222,3 +222,41 @@ interface(`ossec_queue_filetrans',` filetrans_pattern($1, ossec_queue_t, $2, $3, $4) ') +######################################## +## +## Create objects in the tmp directory +## with a private type with a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## Type to which the created node will be transitioned. +## +## +## +## +## Object class(es) (single or set including {}) for which this +## the transition will occur. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`ossec_tmp_filetrans',` + gen_require(` + type var_t; + type ossec_tmp_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 ossec_tmp_t:dir search_dir_perms; + filetrans_pattern($1, ossec_tmp_t, $2, $3, $4) +') + diff --git a/ossec.te b/ossec.te index 233035a..11b8c3b 100644 --- a/ossec.te +++ b/ossec.te @@ -1,5 +1,5 @@ -policy_module(ossec,1.0.239) +policy_module(ossec,1.0.258) ######################################## # @@ -67,6 +67,10 @@ type ossec_syscheckd_t; type ossec_syscheckd_exec_t; init_daemon_domain(ossec_syscheckd_t, ossec_syscheckd_exec_t) +#domain_entry_file(ossec_syscheckd_t, shell_exec_t) +#domtrans_pattern(ossec_syscheckd_t, ossec_ar_exec_t, ossec_ar_t) + + # ossec-monitord daemon type ossec_monitord_t; type ossec_monitord_exec_t; @@ -139,6 +143,7 @@ role system_r types ossec_ar_t; unconfined_domain(ossec_ar_t) ### + require { type httpd_t; @@ -341,6 +346,19 @@ ossec_pid_filetrans(ossec_syscheckd_t, ossec_var_run_t, file) # queue dir dgram_send_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t) +allow ossec_syscheckd_t ossec_queue_t:dir { create_dir_perms rw_dir_perms }; +allow ossec_syscheckd_t ossec_queue_t:file { create_file_perms rename_file_perms write_file_perms }; +ossec_queue_filetrans(ossec_syscheckd_t, ossec_queue_t, file) +#rw_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t) +#rename_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t) +#create_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t) + +ossec_tmp_filetrans(ossec_syscheckd_t, ossec_tmp_t, lnk_file) +#manage_files_pattern(ossec_syscheckd_t, ossec_tmp_t, ossec_tmp_t) +manage_lnk_files_pattern(ossec_syscheckd_t, ossec_tmp_t, ossec_tmp_t) +#allow ossec_syscheckd_t user_tmp_t:sock_file getattr; +userdom_search_user_tmp_dirs(ossec_syscheckd_t) + # logs allow ossec_syscheckd_t ossec_log_t:file { create_file_perms append_file_perms read }; ossec_log_filetrans(ossec_syscheckd_t, ossec_log_t, file) @@ -354,10 +372,20 @@ allow ossec_syscheckd_t self:tcp_socket create_socket_perms; #allow ossec_syscheckd_t self:udp_socket { create connect read write bind }; #allow ossec_syscheckd_t self:tcp_socket { create connect read write }; +# exec patterns +allow ossec_syscheckd_t shell_exec_t:file { exec_file_perms }; +exec_files_pattern(ossec_syscheckd_t, bin_t, bin_t); + # all the things +#allow ossec_syscheckd_t shell_exec_t:file { exec_file_perms }; +#allow ossec_syscheckd_t bin_t:file { exec_file_perms }; +#allow ossec_syscheckd_t bin_t:file { execute execute_no_trans }; files_read_all_files(ossec_syscheckd_t) files_read_all_symlinks(ossec_syscheckd_t) +seutil_read_bin_policy(ossec_syscheckd_t) kernel_getattr_proc_files(ossec_syscheckd_t) +#read_sock_files_pattern(ossec_syscheckd_t, tmp_t, tmp_t) +files_dontaudit_getattr_all_sockets(ossec_syscheckd_t) #============= ossec-monitord_t ==============