diff --git a/ossec.te b/ossec.te index ca499d6..3ddce79 100644 --- a/ossec.te +++ b/ossec.te @@ -1,5 +1,5 @@ -policy_module(ossec,1.0.139) +policy_module(ossec,1.0.157) ######################################## # @@ -84,14 +84,25 @@ type ossec_queue_t; files_type(ossec_queue_t) type ossec_script_t; -files_type(ossec_script_t) - type ossec_script_exec_t; -files_type(ossec_script_exec_t) -domain_type(ossec_script_exec_t) -domain_entry_file(ossec_script_exec_t, ossec_execd_t) -#domtrans_pattern(unconfined_t, ossec_script_exec_t, uossec_execd_t) -unconfined_domain(ossec_script_exec_t) +files_type(ossec_script_t) +role system_r types ossec_script_t; +domain_type(ossec_script_t) +domain_entry_file(ossec_script_t, ossec_script_exec_t) +unconfined_domain(ossec_script_t) +#unconfined_run(ossec_script_exec_t, ossec_script_t) + +type_transition ossec_execd_t ossec_script_exec_t:process unconfined_t; + +#files_type(ossec_script_exec_t) +#domain_type(ossec_script_exec_t) +#domain_entry_file(ossec_script_exec_t, ossec_execd_t) +##domtrans_pattern(unconfined_t, ossec_script_exec_t, ossec_execd_t) +#unconfined_domain(ossec_script_exec_t) +#unconfined_shell_domtrans(ossec_script_exec_t) +#unconfined_run(ossec_execd_t, system_r) +#unconfined_run(ossec_script_exec_t, ossec_script_t) + require { type ossec_t; @@ -132,9 +143,11 @@ require { type unreserved_port_t; type smtp_port_t; type node_t; - class file { rename read lock create write getattr unlink open append }; + type shell_exec_t; + type unconfined_t; + class file { rename read lock create write getattr unlink open append entrypoint }; class dir { write getattr read remove_name create add_name }; - class process { setsched }; + class process { setsched transition rlimitinh siginh noatsecure }; class capability { dac_override dac_read_search setuid setgid fsetid sys_chroot sys_nice }; class tcp_socket { create name_bind name_connect }; class udp_socket { create bind name_bind node_bind }; @@ -213,13 +226,28 @@ read_lnk_files_pattern(ossec_execd_t, ossec_etc_t, ossec_etc_t) read_files_pattern(ossec_execd_t, ossec_etc_t, ossec_etc_t) #sysnet_read_config(ossec_execd_t) +# etc share dir +search_dirs_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t) +read_files_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t) +#manage_files_pattern(ossec_execd_t, ossec_etc_share_t, ossec_etc_share_t) + +# script dir +search_dirs_pattern(ossec_execd_t, ossec_script_t, ossec_script_t) +read_files_pattern(ossec_execd_t, ossec_script_exec_t, ossec_script_exec_t) +exec_files_pattern(ossec_execd_t, ossec_script_exec_t, ossec_script_exec_t) +exec_files_pattern(ossec_execd_t, shell_exec_t, shell_exec_t) + + # dgram socket -allow ossec_execd_t self:unix_dgram_socket { create bind getopt }; # connect sendto +allow ossec_execd_t self:unix_dgram_socket { create bind getopt read write }; # Read urandom dev_read_urand(ossec_execd_t) # Run autoresponce unconstrained +allow ossec_execd_t unconfined_t:process { transition rlimitinh siginh noatsecure }; +allow unconfined_t ossec_script_exec_t:file { entrypoint }; + #unconfined_domtrans(ossec_script_t) #unconfined_run(ossec_execd_t, ossec_script_t) @@ -249,6 +277,7 @@ manage_sock_files_pattern(ossec_analysisd_t, ossec_queue_t, ossec_queue_t) # stats dir rw_dirs_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) rw_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) +create_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) append_files_pattern(ossec_analysisd_t, ossec_stats_t, ossec_stats_t) # etc dir @@ -413,7 +442,7 @@ allow ossec_syscheckd_t self:unix_dgram_socket { create bind getopt connect writ allow ossec_syscheckd_t ossec_analysisd_t:unix_dgram_socket { sendto }; # Sockets -#allow ossec_t self:udp_socket { create }; +allow ossec_syscheckd_t self:udp_socket { create connect read write }; allow ossec_syscheckd_t self:tcp_socket { create connect read write }; #allow ossec_d_t smtp_port_t:tcp_socket { name_connect };