Confined the queue directory and sock files.
This commit is contained in:
parent
aeb1ee4e6b
commit
df1baf710e
3 changed files with 134 additions and 36 deletions
14
ossec.fc
14
ossec.fc
|
|
@ -8,10 +8,22 @@
|
|||
#/var/log/mlogc/data(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)
|
||||
|
||||
/var/ossec/logs(/.*)? gen_context(system_u:object_r:ossec_log_t,s0)
|
||||
/var/ossec/queue(/.*)? gen_context(system_u:object_r:ossec_queue_t,s0)
|
||||
/var/ossec/stats(/.*)? gen_context(system_u:object_r:ossec_stats_t,s0)
|
||||
/var/ossec/agentless(/.*)? gen_context(system_u:object_r:ossec_var_t,s0)
|
||||
|
||||
/var/ossec/queue(/.*)? gen_context(system_u:object_r:ossec_queue_t,s0)
|
||||
/var/ossec/queue/rids(/.*)? gen_context(system_u:object_r:ossec_remoted_file_t,s0)
|
||||
/var/ossec/queue/agent-info(/.*)? gen_context(system_u:object_r:ossec_remoted_file_t,s0)
|
||||
/var/ossec/queue/fts(/.*)? gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
|
||||
/var/ossec/queue/syscheck(/.*)? gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
|
||||
/var/ossec/queue/rootcheck(/.*)? gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
|
||||
/var/ossec/queue/alerts/execq -s gen_context(system_u:object_r:ossec_execd_sock_t,s0)
|
||||
/var/ossec/queue/alerts/ar -s gen_context(system_u:object_r:ossec_remoted_sock_t,s0)
|
||||
/var/ossec/queue/ossec/queue -s gen_context(system_u:object_r:ossec_analysisd_sock_t,s0)
|
||||
#/var/ossec/queue/fts/hostinfo -- gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
|
||||
#/var/ossec/queue/fts/fts-queue -- gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
|
||||
#/var/ossec/queue/fts/ig-queue -- gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
|
||||
|
||||
/var/ossec/var/run(/.*)? gen_context(system_u:object_r:ossec_var_run_t,s0)
|
||||
/var/ossec/var/execd\.sqlite -- gen_context(system_u:object_r:ossec_execd_file_t,s0)
|
||||
/var/ossec/var/execd\.sqlite-journal -- gen_context(system_u:object_r:ossec_execd_journal_t,s0)
|
||||
|
|
|
|||
42
ossec.if
42
ossec.if
|
|
@ -177,6 +177,48 @@ interface(`ossec_read_queue',`
|
|||
allow $1 var_t:dir search_dir_perms;
|
||||
allow $1 ossec_queue_t:dir list_dir_perms;
|
||||
allow $1 ossec_queue_t:file read_file_perms;
|
||||
allow $1 ossec_remoted_file_t:dir list_dir_perms;
|
||||
allow $1 ossec_remoted_file_t:file read_file_perms;
|
||||
allow $1 ossec_analysisd_file_t:dir list_dir_perms;
|
||||
allow $1 ossec_analysisd_file_t:file read_file_perms;
|
||||
#read_files_pattern($1, ossec_queue_t, ossec_queue_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create objects in the spool directory
|
||||
## with a private type with a type transition.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="file">
|
||||
## <summary>
|
||||
## Type to which the created node will be transitioned.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="class">
|
||||
## <summary>
|
||||
## Object class(es) (single or set including {}) for which this
|
||||
## the transition will occur.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="name" optional="true">
|
||||
## <summary>
|
||||
## The name of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ossec_queue_filetrans',`
|
||||
gen_require(`
|
||||
type var_t;
|
||||
type ossec_queue_t;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
allow $1 ossec_queue_t:dir search_dir_perms;
|
||||
filetrans_pattern($1, ossec_queue_t, $2, $3, $4)
|
||||
')
|
||||
|
||||
|
|
|
|||
114
ossec.te
114
ossec.te
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(ossec,1.0.201)
|
||||
policy_module(ossec,1.0.238)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -26,12 +26,19 @@ files_type(ossec_execd_file_t)
|
|||
type ossec_execd_journal_t;
|
||||
files_type(ossec_execd_journal_t)
|
||||
|
||||
type ossec_execd_sock_t;
|
||||
files_type(ossec_execd_sock_t)
|
||||
|
||||
# ossec-analysisd daemon
|
||||
type ossec_analysisd_t;
|
||||
type ossec_analysisd_exec_t;
|
||||
init_daemon_domain(ossec_analysisd_t, ossec_analysisd_exec_t)
|
||||
type ossec_analysisd_configfile_t;
|
||||
files_config_file(ossec_analysisd_configfile_t);
|
||||
files_config_file(ossec_analysisd_configfile_t)
|
||||
type ossec_analysisd_file_t;
|
||||
files_type(ossec_analysisd_file_t)
|
||||
type ossec_analysisd_sock_t;
|
||||
files_type(ossec_analysisd_sock_t)
|
||||
|
||||
# ossec-logcollector daemon
|
||||
type ossec_logcollector_t;
|
||||
|
|
@ -44,7 +51,10 @@ type ossec_remoted_exec_t;
|
|||
init_daemon_domain(ossec_remoted_t, ossec_remoted_exec_t)
|
||||
type ossec_remoted_configfile_t;
|
||||
files_config_file(ossec_remoted_configfile_t);
|
||||
|
||||
type ossec_remoted_file_t;
|
||||
files_type(ossec_remoted_file_t)
|
||||
type ossec_remoted_sock_t;
|
||||
files_type(ossec_remoted_sock_t)
|
||||
|
||||
# ossec-syscheckd daemon
|
||||
type ossec_syscheckd_t;
|
||||
|
|
@ -184,8 +194,12 @@ allow ossec_execd_t ossec_var_run_t:file manage_file_perms;
|
|||
ossec_pid_filetrans(ossec_execd_t, ossec_var_run_t, file)
|
||||
|
||||
# queue dir
|
||||
rw_dirs_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t)
|
||||
manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t);
|
||||
ossec_queue_filetrans(ossec_execd_t, ossec_execd_sock_t, sock_file)
|
||||
manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_execd_sock_t)
|
||||
#allow ossec_execd_t ossec_queue_t:dir rw_dir_perms;
|
||||
#allow ossec_execd_t ossec_execd_sock_t:sock_file manage_sock_file_perms;
|
||||
#rw_dirs_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t)
|
||||
#manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t);
|
||||
|
||||
# logs
|
||||
allow ossec_execd_t ossec_log_t:file { create_file_perms append_file_perms read };
|
||||
|
|
@ -196,7 +210,8 @@ search_dirs_pattern(ossec_execd_t, ossec_ar_bin_t, ossec_ar_bin_t)
|
|||
corecmd_exec_shell(ossec_execd_t)
|
||||
|
||||
# dgram socket
|
||||
allow ossec_execd_t self:unix_dgram_socket { create bind getopt read write };
|
||||
allow ossec_execd_t self:unix_dgram_socket create_stream_socket_perms;
|
||||
#allow ossec_execd_t self:unix_dgram_socket { create bind getopt read write };
|
||||
|
||||
# Read urandom
|
||||
dev_read_urand(ossec_execd_t)
|
||||
|
|
@ -221,18 +236,25 @@ allow ossec_analysisd_t ossec_var_run_t:file manage_file_perms;
|
|||
ossec_pid_filetrans(ossec_analysisd_t, ossec_var_run_t, file)
|
||||
|
||||
# queue dir
|
||||
rw_dirs_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
|
||||
rw_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
|
||||
manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
|
||||
ossec_queue_filetrans(ossec_analysisd_t, ossec_analysisd_file_t, file)
|
||||
rw_files_pattern(ossec_analysisd_t, ossec_analysisd_file_t, ossec_analysisd_file_t)
|
||||
|
||||
ossec_queue_filetrans(ossec_analysisd_t, ossec_analysisd_sock_t, sock_file)
|
||||
manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_analysisd_sock_t)
|
||||
|
||||
dgram_send_pattern(ossec_analysisd_t, ossec_queue_t, ossec_execd_sock_t, ossec_execd_t)
|
||||
dgram_send_pattern(ossec_analysisd_t, ossec_queue_t, ossec_remoted_sock_t, ossec_remoted_t)
|
||||
|
||||
#allow ossec_analysisd_t ossec_queue_t:dir rw_dir_perms;
|
||||
|
||||
#manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_analysisd_sock_t)
|
||||
#rw_dirs_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
|
||||
#rw_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
|
||||
#manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
|
||||
|
||||
# stats dir
|
||||
append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
|
||||
allow ossec_analysisd_t ossec_stats_t:file read_file_perms;
|
||||
#ossec_manage_stats(ossec_analysisd_t)
|
||||
#rw_dirs_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
|
||||
#rw_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
|
||||
#create_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
|
||||
#append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
|
||||
|
||||
# logs
|
||||
allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms read link unlink };
|
||||
|
|
@ -243,9 +265,10 @@ search_dirs_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t)
|
|||
read_files_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t)
|
||||
|
||||
# dgram socket
|
||||
allow ossec_analysisd_t self:unix_dgram_socket { create bind getopt connect read write };
|
||||
allow ossec_analysisd_t ossec_execd_t:unix_dgram_socket { sendto };
|
||||
allow ossec_analysisd_t ossec_remoted_t:unix_dgram_socket { sendto };
|
||||
allow ossec_analysisd_t self:unix_dgram_socket create_stream_socket_perms;
|
||||
#allow ossec_analysisd_t self:unix_dgram_socket { create bind getopt connect read write };
|
||||
##allow ossec_analysisd_t ossec_execd_t:unix_dgram_socket { sendto };
|
||||
#allow ossec_analysisd_t ossec_remoted_t:unix_dgram_socket { sendto };
|
||||
|
||||
|
||||
#============= ossec_logcollector_t ==============
|
||||
|
|
@ -262,8 +285,9 @@ allow ossec_logcollector_t ossec_var_run_t:file manage_file_perms;
|
|||
ossec_pid_filetrans(ossec_logcollector_t, ossec_var_run_t, file)
|
||||
|
||||
# queue dir
|
||||
search_dirs_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t)
|
||||
manage_sock_files_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t)
|
||||
dgram_send_pattern(ossec_logcollector_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
|
||||
#search_dirs_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t)
|
||||
#manage_sock_files_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t)
|
||||
|
||||
# logs
|
||||
allow ossec_logcollector_t ossec_log_t:file { create_file_perms append_file_perms read };
|
||||
|
|
@ -276,8 +300,9 @@ logging_read_all_logs(ossec_logcollector_t)
|
|||
#read_files_pattern(ossec_logcollector_t, var_log_t, var_log_t)
|
||||
|
||||
# dgram socket
|
||||
allow ossec_logcollector_t self:unix_dgram_socket { create bind getopt connect write };
|
||||
allow ossec_logcollector_t ossec_analysisd_t:unix_dgram_socket { sendto };
|
||||
allow ossec_logcollector_t self:unix_dgram_socket create_socket_perms;
|
||||
#allow ossec_logcollector_t self:unix_dgram_socket { create bind getopt connect write };
|
||||
#allow ossec_logcollector_t ossec_analysisd_t:unix_dgram_socket { sendto };
|
||||
|
||||
|
||||
#============= ossec_remoted_t ==============
|
||||
|
|
@ -296,9 +321,17 @@ allow ossec_remoted_t ossec_var_run_t:file manage_file_perms;
|
|||
ossec_pid_filetrans(ossec_remoted_t, ossec_var_run_t, file)
|
||||
|
||||
# queue dir
|
||||
search_dirs_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
|
||||
rw_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
|
||||
manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
|
||||
dgram_send_pattern(ossec_remoted_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
|
||||
#allow ossec_remoted_t ossec_queue_t:dir rw_dir_perms;
|
||||
ossec_queue_filetrans(ossec_remoted_t, ossec_remoted_sock_t, sock_file)
|
||||
manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_remoted_sock_t)
|
||||
|
||||
# queue/rids/
|
||||
rw_files_pattern(ossec_remoted_t, ossec_remoted_file_t, ossec_remoted_file_t)
|
||||
|
||||
#search_dirs_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
|
||||
#rw_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
|
||||
#manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
|
||||
|
||||
# logs
|
||||
allow ossec_remoted_t ossec_log_t:file { create_file_perms append_file_perms read };
|
||||
|
|
@ -311,8 +344,9 @@ corenet_udp_bind_generic_node(ossec_remoted_t)
|
|||
#allow ossec_remoted_t self:tcp_socket { create bind };
|
||||
|
||||
# dgram socket
|
||||
allow ossec_remoted_t self:unix_dgram_socket { create bind getopt connect read write };
|
||||
allow ossec_remoted_t ossec_analysisd_t:unix_dgram_socket { sendto };
|
||||
allow ossec_remoted_t self:unix_dgram_socket create_stream_socket_perms;
|
||||
#allow ossec_remoted_t self:unix_dgram_socket { create bind getopt connect read write };
|
||||
#allow ossec_remoted_t ossec_analysisd_t:unix_dgram_socket { sendto };
|
||||
|
||||
|
||||
#============= ossec_syscheckd_t ==============
|
||||
|
|
@ -330,16 +364,18 @@ allow ossec_syscheckd_t ossec_var_run_t:file manage_file_perms;
|
|||
ossec_pid_filetrans(ossec_syscheckd_t, ossec_var_run_t, file)
|
||||
|
||||
# queue dir
|
||||
search_dirs_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
|
||||
manage_sock_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
|
||||
dgram_send_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
|
||||
#manage_sock_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_analysisd_sock_t)
|
||||
#search_dirs_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
|
||||
#manage_sock_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
|
||||
|
||||
# logs
|
||||
allow ossec_syscheckd_t ossec_log_t:file { create_file_perms append_file_perms read };
|
||||
ossec_log_filetrans(ossec_syscheckd_t, ossec_log_t, file)
|
||||
|
||||
# dgram socket
|
||||
allow ossec_syscheckd_t self:unix_dgram_socket { create bind getopt connect write };
|
||||
allow ossec_syscheckd_t ossec_analysisd_t:unix_dgram_socket { sendto };
|
||||
allow ossec_syscheckd_t self:unix_dgram_socket create_socket_perms;
|
||||
#allow ossec_syscheckd_t self:unix_dgram_socket { create bind getopt connect write };
|
||||
|
||||
# Sockets
|
||||
allow ossec_syscheckd_t self:udp_socket { create connect read write bind };
|
||||
|
|
@ -366,17 +402,25 @@ allow ossec_monitord_t ossec_var_run_t:file manage_file_perms;
|
|||
ossec_pid_filetrans(ossec_monitord_t, ossec_var_run_t, file)
|
||||
|
||||
# queue dir
|
||||
search_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
|
||||
read_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
|
||||
manage_sock_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
|
||||
dgram_send_pattern(ossec_monitord_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
|
||||
|
||||
list_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_remoted_file_t)
|
||||
allow ossec_monitord_t ossec_remoted_file_t:file getattr_file_perms;
|
||||
|
||||
#allow ossec_monitord_t ossec_queue_t:dir list_dir_perms;
|
||||
#allow ossec_monitord_t ossec_queue_t:file { getattr };
|
||||
#search_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
|
||||
#read_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
|
||||
#manage_sock_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
|
||||
|
||||
# logs
|
||||
allow ossec_monitord_t ossec_log_t:file { create_file_perms append_file_perms read };
|
||||
ossec_log_filetrans(ossec_monitord_t, ossec_log_t, file)
|
||||
|
||||
# dgram socket
|
||||
allow ossec_monitord_t self:unix_dgram_socket { create bind getopt connect write };
|
||||
allow ossec_monitord_t ossec_analysisd_t:unix_dgram_socket { sendto };
|
||||
allow ossec_monitord_t self:unix_dgram_socket create_socket_perms;
|
||||
#allow ossec_monitord_t self:unix_dgram_socket { create bind getopt connect write };
|
||||
#allow ossec_monitord_t ossec_analysisd_t:unix_dgram_socket { sendto };
|
||||
|
||||
|
||||
#============= httpd_t ==============
|
||||
|
|
|
|||
Loading…
Reference in a new issue