Confined the queue directory and sock files.

This commit is contained in:
Eric Renfro 2015-11-25 17:30:42 -05:00
parent aeb1ee4e6b
commit df1baf710e
3 changed files with 134 additions and 36 deletions

View file

@ -8,10 +8,22 @@
#/var/log/mlogc/data(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0) #/var/log/mlogc/data(/.*)? gen_context(system_u:object_r:mlogc_log_t,s0)
/var/ossec/logs(/.*)? gen_context(system_u:object_r:ossec_log_t,s0) /var/ossec/logs(/.*)? gen_context(system_u:object_r:ossec_log_t,s0)
/var/ossec/queue(/.*)? gen_context(system_u:object_r:ossec_queue_t,s0)
/var/ossec/stats(/.*)? gen_context(system_u:object_r:ossec_stats_t,s0) /var/ossec/stats(/.*)? gen_context(system_u:object_r:ossec_stats_t,s0)
/var/ossec/agentless(/.*)? gen_context(system_u:object_r:ossec_var_t,s0) /var/ossec/agentless(/.*)? gen_context(system_u:object_r:ossec_var_t,s0)
/var/ossec/queue(/.*)? gen_context(system_u:object_r:ossec_queue_t,s0)
/var/ossec/queue/rids(/.*)? gen_context(system_u:object_r:ossec_remoted_file_t,s0)
/var/ossec/queue/agent-info(/.*)? gen_context(system_u:object_r:ossec_remoted_file_t,s0)
/var/ossec/queue/fts(/.*)? gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
/var/ossec/queue/syscheck(/.*)? gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
/var/ossec/queue/rootcheck(/.*)? gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
/var/ossec/queue/alerts/execq -s gen_context(system_u:object_r:ossec_execd_sock_t,s0)
/var/ossec/queue/alerts/ar -s gen_context(system_u:object_r:ossec_remoted_sock_t,s0)
/var/ossec/queue/ossec/queue -s gen_context(system_u:object_r:ossec_analysisd_sock_t,s0)
#/var/ossec/queue/fts/hostinfo -- gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
#/var/ossec/queue/fts/fts-queue -- gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
#/var/ossec/queue/fts/ig-queue -- gen_context(system_u:object_r:ossec_analysisd_file_t,s0)
/var/ossec/var/run(/.*)? gen_context(system_u:object_r:ossec_var_run_t,s0) /var/ossec/var/run(/.*)? gen_context(system_u:object_r:ossec_var_run_t,s0)
/var/ossec/var/execd\.sqlite -- gen_context(system_u:object_r:ossec_execd_file_t,s0) /var/ossec/var/execd\.sqlite -- gen_context(system_u:object_r:ossec_execd_file_t,s0)
/var/ossec/var/execd\.sqlite-journal -- gen_context(system_u:object_r:ossec_execd_journal_t,s0) /var/ossec/var/execd\.sqlite-journal -- gen_context(system_u:object_r:ossec_execd_journal_t,s0)

View file

@ -177,6 +177,48 @@ interface(`ossec_read_queue',`
allow $1 var_t:dir search_dir_perms; allow $1 var_t:dir search_dir_perms;
allow $1 ossec_queue_t:dir list_dir_perms; allow $1 ossec_queue_t:dir list_dir_perms;
allow $1 ossec_queue_t:file read_file_perms; allow $1 ossec_queue_t:file read_file_perms;
allow $1 ossec_remoted_file_t:dir list_dir_perms;
allow $1 ossec_remoted_file_t:file read_file_perms;
allow $1 ossec_analysisd_file_t:dir list_dir_perms;
allow $1 ossec_analysisd_file_t:file read_file_perms;
#read_files_pattern($1, ossec_queue_t, ossec_queue_t) #read_files_pattern($1, ossec_queue_t, ossec_queue_t)
') ')
########################################
## <summary>
## Create objects in the spool directory
## with a private type with a type transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="file">
## <summary>
## Type to which the created node will be transitioned.
## </summary>
## </param>
## <param name="class">
## <summary>
## Object class(es) (single or set including {}) for which this
## the transition will occur.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`ossec_queue_filetrans',`
gen_require(`
type var_t;
type ossec_queue_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 ossec_queue_t:dir search_dir_perms;
filetrans_pattern($1, ossec_queue_t, $2, $3, $4)
')

114
ossec.te
View file

@ -1,5 +1,5 @@
policy_module(ossec,1.0.201) policy_module(ossec,1.0.238)
######################################## ########################################
# #
@ -26,12 +26,19 @@ files_type(ossec_execd_file_t)
type ossec_execd_journal_t; type ossec_execd_journal_t;
files_type(ossec_execd_journal_t) files_type(ossec_execd_journal_t)
type ossec_execd_sock_t;
files_type(ossec_execd_sock_t)
# ossec-analysisd daemon # ossec-analysisd daemon
type ossec_analysisd_t; type ossec_analysisd_t;
type ossec_analysisd_exec_t; type ossec_analysisd_exec_t;
init_daemon_domain(ossec_analysisd_t, ossec_analysisd_exec_t) init_daemon_domain(ossec_analysisd_t, ossec_analysisd_exec_t)
type ossec_analysisd_configfile_t; type ossec_analysisd_configfile_t;
files_config_file(ossec_analysisd_configfile_t); files_config_file(ossec_analysisd_configfile_t)
type ossec_analysisd_file_t;
files_type(ossec_analysisd_file_t)
type ossec_analysisd_sock_t;
files_type(ossec_analysisd_sock_t)
# ossec-logcollector daemon # ossec-logcollector daemon
type ossec_logcollector_t; type ossec_logcollector_t;
@ -44,7 +51,10 @@ type ossec_remoted_exec_t;
init_daemon_domain(ossec_remoted_t, ossec_remoted_exec_t) init_daemon_domain(ossec_remoted_t, ossec_remoted_exec_t)
type ossec_remoted_configfile_t; type ossec_remoted_configfile_t;
files_config_file(ossec_remoted_configfile_t); files_config_file(ossec_remoted_configfile_t);
type ossec_remoted_file_t;
files_type(ossec_remoted_file_t)
type ossec_remoted_sock_t;
files_type(ossec_remoted_sock_t)
# ossec-syscheckd daemon # ossec-syscheckd daemon
type ossec_syscheckd_t; type ossec_syscheckd_t;
@ -184,8 +194,12 @@ allow ossec_execd_t ossec_var_run_t:file manage_file_perms;
ossec_pid_filetrans(ossec_execd_t, ossec_var_run_t, file) ossec_pid_filetrans(ossec_execd_t, ossec_var_run_t, file)
# queue dir # queue dir
rw_dirs_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t) ossec_queue_filetrans(ossec_execd_t, ossec_execd_sock_t, sock_file)
manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t); manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_execd_sock_t)
#allow ossec_execd_t ossec_queue_t:dir rw_dir_perms;
#allow ossec_execd_t ossec_execd_sock_t:sock_file manage_sock_file_perms;
#rw_dirs_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t)
#manage_sock_files_pattern(ossec_execd_t, ossec_queue_t, ossec_queue_t);
# logs # logs
allow ossec_execd_t ossec_log_t:file { create_file_perms append_file_perms read }; allow ossec_execd_t ossec_log_t:file { create_file_perms append_file_perms read };
@ -196,7 +210,8 @@ search_dirs_pattern(ossec_execd_t, ossec_ar_bin_t, ossec_ar_bin_t)
corecmd_exec_shell(ossec_execd_t) corecmd_exec_shell(ossec_execd_t)
# dgram socket # dgram socket
allow ossec_execd_t self:unix_dgram_socket { create bind getopt read write }; allow ossec_execd_t self:unix_dgram_socket create_stream_socket_perms;
#allow ossec_execd_t self:unix_dgram_socket { create bind getopt read write };
# Read urandom # Read urandom
dev_read_urand(ossec_execd_t) dev_read_urand(ossec_execd_t)
@ -221,18 +236,25 @@ allow ossec_analysisd_t ossec_var_run_t:file manage_file_perms;
ossec_pid_filetrans(ossec_analysisd_t, ossec_var_run_t, file) ossec_pid_filetrans(ossec_analysisd_t, ossec_var_run_t, file)
# queue dir # queue dir
rw_dirs_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) ossec_queue_filetrans(ossec_analysisd_t, ossec_analysisd_file_t, file)
rw_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) rw_files_pattern(ossec_analysisd_t, ossec_analysisd_file_t, ossec_analysisd_file_t)
manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
ossec_queue_filetrans(ossec_analysisd_t, ossec_analysisd_sock_t, sock_file)
manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_analysisd_sock_t)
dgram_send_pattern(ossec_analysisd_t, ossec_queue_t, ossec_execd_sock_t, ossec_execd_t)
dgram_send_pattern(ossec_analysisd_t, ossec_queue_t, ossec_remoted_sock_t, ossec_remoted_t)
#allow ossec_analysisd_t ossec_queue_t:dir rw_dir_perms;
#manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_analysisd_sock_t)
#rw_dirs_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
#rw_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
#manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t)
# stats dir # stats dir
append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
allow ossec_analysisd_t ossec_stats_t:file read_file_perms; allow ossec_analysisd_t ossec_stats_t:file read_file_perms;
#ossec_manage_stats(ossec_analysisd_t)
#rw_dirs_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
#rw_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
#create_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
#append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t)
# logs # logs
allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms read link unlink }; allow ossec_analysisd_t ossec_log_t:file { create_file_perms append_file_perms read link unlink };
@ -243,9 +265,10 @@ search_dirs_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t)
read_files_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t) read_files_pattern(ossec_analysisd_t, ossec_rule_t, ossec_rule_t)
# dgram socket # dgram socket
allow ossec_analysisd_t self:unix_dgram_socket { create bind getopt connect read write }; allow ossec_analysisd_t self:unix_dgram_socket create_stream_socket_perms;
allow ossec_analysisd_t ossec_execd_t:unix_dgram_socket { sendto }; #allow ossec_analysisd_t self:unix_dgram_socket { create bind getopt connect read write };
allow ossec_analysisd_t ossec_remoted_t:unix_dgram_socket { sendto }; ##allow ossec_analysisd_t ossec_execd_t:unix_dgram_socket { sendto };
#allow ossec_analysisd_t ossec_remoted_t:unix_dgram_socket { sendto };
#============= ossec_logcollector_t ============== #============= ossec_logcollector_t ==============
@ -262,8 +285,9 @@ allow ossec_logcollector_t ossec_var_run_t:file manage_file_perms;
ossec_pid_filetrans(ossec_logcollector_t, ossec_var_run_t, file) ossec_pid_filetrans(ossec_logcollector_t, ossec_var_run_t, file)
# queue dir # queue dir
search_dirs_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t) dgram_send_pattern(ossec_logcollector_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
manage_sock_files_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t) #search_dirs_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t)
#manage_sock_files_pattern(ossec_logcollector_t, ossec_queue_t, ossec_queue_t)
# logs # logs
allow ossec_logcollector_t ossec_log_t:file { create_file_perms append_file_perms read }; allow ossec_logcollector_t ossec_log_t:file { create_file_perms append_file_perms read };
@ -276,8 +300,9 @@ logging_read_all_logs(ossec_logcollector_t)
#read_files_pattern(ossec_logcollector_t, var_log_t, var_log_t) #read_files_pattern(ossec_logcollector_t, var_log_t, var_log_t)
# dgram socket # dgram socket
allow ossec_logcollector_t self:unix_dgram_socket { create bind getopt connect write }; allow ossec_logcollector_t self:unix_dgram_socket create_socket_perms;
allow ossec_logcollector_t ossec_analysisd_t:unix_dgram_socket { sendto }; #allow ossec_logcollector_t self:unix_dgram_socket { create bind getopt connect write };
#allow ossec_logcollector_t ossec_analysisd_t:unix_dgram_socket { sendto };
#============= ossec_remoted_t ============== #============= ossec_remoted_t ==============
@ -296,9 +321,17 @@ allow ossec_remoted_t ossec_var_run_t:file manage_file_perms;
ossec_pid_filetrans(ossec_remoted_t, ossec_var_run_t, file) ossec_pid_filetrans(ossec_remoted_t, ossec_var_run_t, file)
# queue dir # queue dir
search_dirs_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t) dgram_send_pattern(ossec_remoted_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
rw_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t) #allow ossec_remoted_t ossec_queue_t:dir rw_dir_perms;
manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t) ossec_queue_filetrans(ossec_remoted_t, ossec_remoted_sock_t, sock_file)
manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_remoted_sock_t)
# queue/rids/
rw_files_pattern(ossec_remoted_t, ossec_remoted_file_t, ossec_remoted_file_t)
#search_dirs_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
#rw_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
#manage_sock_files_pattern(ossec_remoted_t, ossec_queue_t, ossec_queue_t)
# logs # logs
allow ossec_remoted_t ossec_log_t:file { create_file_perms append_file_perms read }; allow ossec_remoted_t ossec_log_t:file { create_file_perms append_file_perms read };
@ -311,8 +344,9 @@ corenet_udp_bind_generic_node(ossec_remoted_t)
#allow ossec_remoted_t self:tcp_socket { create bind }; #allow ossec_remoted_t self:tcp_socket { create bind };
# dgram socket # dgram socket
allow ossec_remoted_t self:unix_dgram_socket { create bind getopt connect read write }; allow ossec_remoted_t self:unix_dgram_socket create_stream_socket_perms;
allow ossec_remoted_t ossec_analysisd_t:unix_dgram_socket { sendto }; #allow ossec_remoted_t self:unix_dgram_socket { create bind getopt connect read write };
#allow ossec_remoted_t ossec_analysisd_t:unix_dgram_socket { sendto };
#============= ossec_syscheckd_t ============== #============= ossec_syscheckd_t ==============
@ -330,16 +364,18 @@ allow ossec_syscheckd_t ossec_var_run_t:file manage_file_perms;
ossec_pid_filetrans(ossec_syscheckd_t, ossec_var_run_t, file) ossec_pid_filetrans(ossec_syscheckd_t, ossec_var_run_t, file)
# queue dir # queue dir
search_dirs_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t) dgram_send_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
manage_sock_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t) #manage_sock_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_analysisd_sock_t)
#search_dirs_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
#manage_sock_files_pattern(ossec_syscheckd_t, ossec_queue_t, ossec_queue_t)
# logs # logs
allow ossec_syscheckd_t ossec_log_t:file { create_file_perms append_file_perms read }; allow ossec_syscheckd_t ossec_log_t:file { create_file_perms append_file_perms read };
ossec_log_filetrans(ossec_syscheckd_t, ossec_log_t, file) ossec_log_filetrans(ossec_syscheckd_t, ossec_log_t, file)
# dgram socket # dgram socket
allow ossec_syscheckd_t self:unix_dgram_socket { create bind getopt connect write }; allow ossec_syscheckd_t self:unix_dgram_socket create_socket_perms;
allow ossec_syscheckd_t ossec_analysisd_t:unix_dgram_socket { sendto }; #allow ossec_syscheckd_t self:unix_dgram_socket { create bind getopt connect write };
# Sockets # Sockets
allow ossec_syscheckd_t self:udp_socket { create connect read write bind }; allow ossec_syscheckd_t self:udp_socket { create connect read write bind };
@ -366,17 +402,25 @@ allow ossec_monitord_t ossec_var_run_t:file manage_file_perms;
ossec_pid_filetrans(ossec_monitord_t, ossec_var_run_t, file) ossec_pid_filetrans(ossec_monitord_t, ossec_var_run_t, file)
# queue dir # queue dir
search_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t) dgram_send_pattern(ossec_monitord_t, ossec_queue_t, ossec_analysisd_sock_t, ossec_analysisd_t)
read_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
manage_sock_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t) list_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_remoted_file_t)
allow ossec_monitord_t ossec_remoted_file_t:file getattr_file_perms;
#allow ossec_monitord_t ossec_queue_t:dir list_dir_perms;
#allow ossec_monitord_t ossec_queue_t:file { getattr };
#search_dirs_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
#read_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
#manage_sock_files_pattern(ossec_monitord_t, ossec_queue_t, ossec_queue_t)
# logs # logs
allow ossec_monitord_t ossec_log_t:file { create_file_perms append_file_perms read }; allow ossec_monitord_t ossec_log_t:file { create_file_perms append_file_perms read };
ossec_log_filetrans(ossec_monitord_t, ossec_log_t, file) ossec_log_filetrans(ossec_monitord_t, ossec_log_t, file)
# dgram socket # dgram socket
allow ossec_monitord_t self:unix_dgram_socket { create bind getopt connect write }; allow ossec_monitord_t self:unix_dgram_socket create_socket_perms;
allow ossec_monitord_t ossec_analysisd_t:unix_dgram_socket { sendto }; #allow ossec_monitord_t self:unix_dgram_socket { create bind getopt connect write };
#allow ossec_monitord_t ossec_analysisd_t:unix_dgram_socket { sendto };
#============= httpd_t ============== #============= httpd_t ==============