policy_module(ossec,1.0.12) ######################################## # # Declarations # type ossec_t; type ossec_bin_t; type ossec_exec_t; role system_r types ossec_t; domain_type(ossec_t) domain_entry_file(ossec_t, ossec_exec_t) optional_policy(` ossec_domtrans(httpd_t) ') type ossec_var_t; files_type(ossec_var_t) type ossec_tmp_t; files_tmp_file(ossec_tmp_t) type ossec_log_t; logging_log_file(ossec_log_t) type ossec_etc_t; files_config_file(ossec_etc_t) type ossec_rule_t; files_config_file(ossec_rule_t) type ossec_stats_t; files_type(ossec_stats_t) type ossec_queue_t; files_type(ossec_queue_t) type ossec_script_t; files_type(ossec_script_t) require { type ossec_t; type ossec_bin_t; type ossec_exec_t; type ossec_var_t; type ossec_tmp_t; type ossec_log_t; type ossec_etc_t; type ossec_rule_t; type ossec_stats_t; type ossec_queue_t; type ossec_script_t; type httpd_t; class file { rename read lock create write getattr unlink open append }; class dir { write getattr read remove_name create add_name }; } ######################################## # # ossec local policy # #============= ossec_t ============== #============= httpd_t ============== allow httpd_t ossec_log_t:dir { read }; allow httpd_t ossec_log_t:file { open read getattr }; allow httpd_t ossec_queue_t:dir { read }; allow httpd_t ossec_queue_t:file { open read getattr }; allow httpd_t ossec_stats_t:dir { read }; allow httpd_t ossec_stats_t:file { open read getattr };