selinux-ossec/ossec.if

## <summary>ossec policy</summary>
## <desc>
##      <p>
##              More descriptive text about ossec.  The desc
##              tag can also use p, ul, and ol
##              html tags for formatting.
##      </p>
##      <p>
##              This policy supports the following ossec features:
##              <ul>
##              <li>Feature A</li>
##              <li>Feature B</li>
##              <li>Feature C</li>
##              </ul>
##      </p>
## </desc>
#

########################################
## <summary>
##      Execute a domain transition to run ossec.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed to transition.
##      </summary>
## </param>
#
interface(`ossec_domtrans',`
        gen_require(`
                type ossec_t, ossec_exec_t;
                type httpd_t, httpd_exec_t;
                role system_r;
        ')

        domain_type(ossec_t)
        domain_entry_file(ossec_t, ossec_exec_t)

        role system_r types ossec_t;

        domtrans_pattern($1, ossec_exec_t, ossec_t)
        #domtrans_pattern($1,ossec_exec_t,ossec_t)
')

########################################
## <summary>
##      Read ossec log files.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed to read the log files.
##      </summary>
## </param>
#
interface(`ossec_read_log',`
        gen_require(`
                type ossec_log_t;
        ')

        logging_search_logs($1)
        allow $1 ossec_log_t:file read_file_perms;
')

########################################
## <summary>
##      Write ossec log files.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed to write the log files.
##      </summary>
## </param>
#
interface(`ossec_write_log',`
        gen_require(`
                type ossec_log_t;
        ')

        allow $1 ossec_log_t:file write;
')