diff --git a/ossec.fc b/ossec.fc
index dfe7593..f864027 100644
--- a/ossec.fc
+++ b/ossec.fc
@@ -8,10 +8,22 @@
#/var/log/mlogc/data(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)
/var/ossec/logs(/.*)? gen_context(system_u:object_r:ossec_log_t,s0)
-/var/ossec/queue(/.*)? gen_context(system_u:object_r:ossec_queue_t,s0)
/var/ossec/stats(/.*)? gen_context(system_u:object_r:ossec_stats_t,s0)
/var/ossec/agentless(/.*)? gen_context(system_u:object_r:ossec_var_t,s0)
+/var/ossec/queue(/.*)? gen_context(system_u:object_r:ossec_queue_t,s0)
+/var/ossec/queue/rids(/.*)? gen_context(system_u:object_r:ossec_remoted_file_t,s0)
+/var/ossec/queue/agent-info(/.*)? gen_context(system_u:object_r:ossec_remoted_file_t,s0)
+/var/ossec/queue/fts(/.*)? gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
+/var/ossec/queue/syscheck(/.*)? gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
+/var/ossec/queue/rootcheck(/.*)? gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
+/var/ossec/queue/alerts/execq -s gen_context(system_u:object_r:ossec_execd_sock_t,s0)
+/var/ossec/queue/alerts/ar -s gen_context(system_u:object_r:ossec_remoted_sock_t,s0)
+/var/ossec/queue/ossec/queue -s gen_context(system_u:object_r:ossec_analysisd_sock_t,s0)
+#/var/ossec/queue/fts/hostinfo -- gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
+#/var/ossec/queue/fts/fts-queue -- gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
+#/var/ossec/queue/fts/ig-queue -- gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
+
/var/ossec/var/run(/.*)? gen_context(system_u:object_r:ossec_var_run_t,s0)
/var/ossec/var/execd\.sqlite -- gen_context(system_u:object_r:ossec_execd_file_t,s0)
/var/ossec/var/execd\.sqlite-journal -- gen_context(system_u:object_r:ossec_execd_journal_t,s0)
diff --git a/ossec.if b/ossec.if
index fd315fe..aa81784 100644
--- a/ossec.if
+++ b/ossec.if
@@ -177,6 +177,48 @@ interface(`ossec_read_queue',`
allow $1 var_t:dir search_dir_perms;
allow $1 ossec_queue_t:dir list_dir_perms;
allow $1 ossec_queue_t:file read_file_perms;
+ allow $1 ossec_remoted_file_t:dir list_dir_perms;
+ allow $1 ossec_remoted_file_t:file read_file_perms;
+ allow $1 ossec_analysisd_file_t:dir list_dir_perms;
+ allow $1 ossec_analysisd_file_t:file read_file_perms;
#read_files_pattern($1, ossec_queue_t, ossec_queue_t)
')
+########################################
+##
+## Create objects in the spool directory
+## with a private type with a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Type to which the created node will be transitioned.
+##
+##
+##
+##
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`ossec_queue_filetrans',`
+ gen_require(`
+ type var_t;
+ type ossec_queue_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 ossec_queue_t:dir search_dir_perms;
+ filetrans_pattern($1, ossec_queue_t, $2, $3, $4)
+')
+
diff --git a/ossec.te b/ossec.te
index c165c24..f1d0183 100644
--- a/ossec.te
+++ b/ossec.te
@@ -1,5 +1,5 @@
-policy_module(ossec,1.0.201)
+policy_module(ossec,1.0.238)
########################################
#
@@ -26,12 +26,19 @@ files_type(ossec_execd_file_t)
type ossec_execd_journal_t;
files_type(ossec_execd_journal_t)
+type ossec_execd_sock_t;
+files_type(ossec_execd_sock_t)
+
# ossec-analysisd daemon
type ossec_analysisd_t;
type ossec_analysisd_exec_t;
init_daemon_domain(ossec_analysisd_t, ossec_analysisd_exec_t)
type ossec_analysisd_configfile_t;
-files_config_file(ossec_analysisd_configfile_t);
+files_config_file(ossec_analysisd_configfile_t)
+type ossec_analysisd_file_t;
+files_type(ossec_analysisd_file_t)
+type ossec_analysisd_sock_t;
+files_type(ossec_analysisd_sock_t)
# ossec-logcollector daemon
type ossec_logcollector_t;
@@ -44,7 +51,10 @@ type ossec_remoted_exec_t;
init_daemon_domain(ossec_remoted_t, ossec_remoted_exec_t)
type ossec_remoted_configfile_t;
files_config_file(ossec_remoted_configfile_t);
-
+type ossec_remoted_file_t;
+files_type(ossec_remoted_file_t)
+type ossec_remoted_sock_t;
+files_type(ossec_remoted_sock_t)
# ossec-syscheckd daemon
type ossec_syscheckd_t;
@@ -184,8 +194,12 @@ allow ossec_execd_t ossec_var_run_t:file manage_file_perms;
ossec_pid_filetrans(ossec_execd_t, ossec_var_run_t, file)
# queue dir
-rw_dirs_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t)
-manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t);
+ossec_queue_filetrans(ossec_execd_t, ossec_execd_sock_t, sock_file)
+manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_execd_sock_t)
+#allow ossec_execd_t ossec_queue_t:dir rw_dir_perms;
+#allow ossec_execd_t ossec_execd_sock_t:sock_file manage_sock_file_perms;
+#rw_dirs_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t)
+#manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t);
# logs
allow ossec_execd_t ossec_log_t:file { create_file_perms append_file_perms read };
@@ -196,7 +210,8 @@ search_dirs_pattern(ossec_execd_t, ossec_ar_bin_t, ossec_ar_bin_t)
corecmd_exec_shell(ossec_execd_t)
# dgram socket
-allow ossec_execd_t self:unix_dgram_socket { create bind getopt read write };
+allow ossec_execd_t self:unix_dgram_socket create_stream_socket_perms;
+#allow ossec_execd_t self:unix_dgram_socket { create bind getopt read write };
# Read urandom
dev_read_urand(ossec_execd_t)
@@ -221,18 +236,25 @@ allow ossec_analysisd_t ossec_var_run_t:file manage_file_perms;
ossec_pid_filetrans(ossec_analysisd_t, ossec_var_run_t, file)
# queue dir
-rw_dirs_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
-rw_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
-manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
+ossec_queue_filetrans(ossec_analysisd_t, ossec_analysisd_file_t, file)
+rw_files_pattern(ossec_analysisd_t, ossec_analysisd_file_t, ossec_analysisd_file_t)
+
+ossec_queue_filetrans(ossec_analysisd_t, ossec_analysisd_sock_t, sock_file)
+manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_analysisd_sock_t)
+
+dgram_send_pattern(ossec_analysisd_t, ossec_queue_t, ossec_execd_sock_t, ossec_execd_t)
+dgram_send_pattern(ossec_analysisd_t, ossec_queue_t, ossec_remoted_sock_t, ossec_remoted_t)
+
+#allow ossec_analysisd_t ossec_queue_t:dir rw_dir_perms;
+
+#manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_analysisd_sock_t)
+#rw_dirs_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
+#rw_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
+#manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
# stats dir
append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
allow ossec_analysisd_t ossec_stats_t:file read_file_perms;
-#ossec_manage_stats(ossec_analysisd_t)
-#rw_dirs_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
-#rw_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
-#create_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
-#append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
# logs
allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms read link unlink };
@@ -243,9 +265,10 @@ search_dirs_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t)
read_files_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t)
# dgram socket
-allow ossec_analysisd_t self:unix_dgram_socket { create bind getopt connect read write };
-allow ossec_analysisd_t ossec_execd_t:unix_dgram_socket { sendto };
-allow ossec_analysisd_t ossec_remoted_t:unix_dgram_socket { sendto };
+allow ossec_analysisd_t self:unix_dgram_socket create_stream_socket_perms;
+#allow ossec_analysisd_t self:unix_dgram_socket { create bind getopt connect read write };
+##allow ossec_analysisd_t ossec_execd_t:unix_dgram_socket { sendto };
+#allow ossec_analysisd_t ossec_remoted_t:unix_dgram_socket { sendto };
#============= ossec_logcollector_t ==============
@@ -262,8 +285,9 @@ allow ossec_logcollector_t ossec_var_run_t:file manage_file_perms;
ossec_pid_filetrans(ossec_logcollector_t, ossec_var_run_t, file)
# queue dir
-search_dirs_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t)
-manage_sock_files_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t)
+dgram_send_pattern(ossec_logcollector_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
+#search_dirs_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t)
+#manage_sock_files_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t)
# logs
allow ossec_logcollector_t ossec_log_t:file { create_file_perms append_file_perms read };
@@ -276,8 +300,9 @@ logging_read_all_logs(ossec_logcollector_t)
#read_files_pattern(ossec_logcollector_t, var_log_t, var_log_t)
# dgram socket
-allow ossec_logcollector_t self:unix_dgram_socket { create bind getopt connect write };
-allow ossec_logcollector_t ossec_analysisd_t:unix_dgram_socket { sendto };
+allow ossec_logcollector_t self:unix_dgram_socket create_socket_perms;
+#allow ossec_logcollector_t self:unix_dgram_socket { create bind getopt connect write };
+#allow ossec_logcollector_t ossec_analysisd_t:unix_dgram_socket { sendto };
#============= ossec_remoted_t ==============
@@ -296,9 +321,17 @@ allow ossec_remoted_t ossec_var_run_t:file manage_file_perms;
ossec_pid_filetrans(ossec_remoted_t, ossec_var_run_t, file)
# queue dir
-search_dirs_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
-rw_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
-manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
+dgram_send_pattern(ossec_remoted_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
+#allow ossec_remoted_t ossec_queue_t:dir rw_dir_perms;
+ossec_queue_filetrans(ossec_remoted_t, ossec_remoted_sock_t, sock_file)
+manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_remoted_sock_t)
+
+# queue/rids/
+rw_files_pattern(ossec_remoted_t, ossec_remoted_file_t, ossec_remoted_file_t)
+
+#search_dirs_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
+#rw_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
+#manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
# logs
allow ossec_remoted_t ossec_log_t:file { create_file_perms append_file_perms read };
@@ -311,8 +344,9 @@ corenet_udp_bind_generic_node(ossec_remoted_t)
#allow ossec_remoted_t self:tcp_socket { create bind };
# dgram socket
-allow ossec_remoted_t self:unix_dgram_socket { create bind getopt connect read write };
-allow ossec_remoted_t ossec_analysisd_t:unix_dgram_socket { sendto };
+allow ossec_remoted_t self:unix_dgram_socket create_stream_socket_perms;
+#allow ossec_remoted_t self:unix_dgram_socket { create bind getopt connect read write };
+#allow ossec_remoted_t ossec_analysisd_t:unix_dgram_socket { sendto };
#============= ossec_syscheckd_t ==============
@@ -330,16 +364,18 @@ allow ossec_syscheckd_t ossec_var_run_t:file manage_file_perms;
ossec_pid_filetrans(ossec_syscheckd_t, ossec_var_run_t, file)
# queue dir
-search_dirs_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
-manage_sock_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
+dgram_send_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
+#manage_sock_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_analysisd_sock_t)
+#search_dirs_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
+#manage_sock_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
# logs
allow ossec_syscheckd_t ossec_log_t:file { create_file_perms append_file_perms read };
ossec_log_filetrans(ossec_syscheckd_t, ossec_log_t, file)
# dgram socket
-allow ossec_syscheckd_t self:unix_dgram_socket { create bind getopt connect write };
-allow ossec_syscheckd_t ossec_analysisd_t:unix_dgram_socket { sendto };
+allow ossec_syscheckd_t self:unix_dgram_socket create_socket_perms;
+#allow ossec_syscheckd_t self:unix_dgram_socket { create bind getopt connect write };
# Sockets
allow ossec_syscheckd_t self:udp_socket { create connect read write bind };
@@ -366,17 +402,25 @@ allow ossec_monitord_t ossec_var_run_t:file manage_file_perms;
ossec_pid_filetrans(ossec_monitord_t, ossec_var_run_t, file)
# queue dir
-search_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
-read_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
-manage_sock_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
+dgram_send_pattern(ossec_monitord_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
+
+list_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_remoted_file_t)
+allow ossec_monitord_t ossec_remoted_file_t:file getattr_file_perms;
+
+#allow ossec_monitord_t ossec_queue_t:dir list_dir_perms;
+#allow ossec_monitord_t ossec_queue_t:file { getattr };
+#search_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
+#read_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
+#manage_sock_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
# logs
allow ossec_monitord_t ossec_log_t:file { create_file_perms append_file_perms read };
ossec_log_filetrans(ossec_monitord_t, ossec_log_t, file)
# dgram socket
-allow ossec_monitord_t self:unix_dgram_socket { create bind getopt connect write };
-allow ossec_monitord_t ossec_analysisd_t:unix_dgram_socket { sendto };
+allow ossec_monitord_t self:unix_dgram_socket create_socket_perms;
+#allow ossec_monitord_t self:unix_dgram_socket { create bind getopt connect write };
+#allow ossec_monitord_t ossec_analysisd_t:unix_dgram_socket { sendto };
#============= httpd_t ==============