policy_module(ossec_agent, 1.0.4)
# selinux module for OSSEC (tm) agent
# (C) Ivan Agarkov, 2017
# exec file types
type ossec_agent_exec_t;
type ossec_exec_exec_t;
type ossec_logcollector_exec_t;
type ossec_syscheck_exec_t;
type ossec_admin_exec_t;
# data file types
type ossec_log_t; # logs/
type ossec_conf_t; # /etc
type ossec_queue_t; # /queue
type ossec_tmp_t; # /tmp
type ossec_var_t; # /var
# process attributes
attribute ossec_process;
# process types
type ossec_agent_t, ossec_process;
type ossec_exec_t, ossec_process;
type ossec_logcollector_t, ossec_process;
type ossec_syscheck_t, ossec_process;
type ossec_admin_t;

# types definitions
init_daemon_domain(ossec_agent_t, ossec_agent_exec_t)
init_daemon_domain(ossec_logcollector_t, ossec_logcollector_exec_t)
init_daemon_domain(ossec_syscheck_t, ossec_syscheck_exec_t)
init_daemon_domain(ossec_exec_t, ossec_exec_exec_t)
application_domain(ossec_admin_t, ossec_admin_exec_t)

files_type(ossec_queue_t)
files_type(ossec_var_t)
logging_log_file(ossec_log_t)
files_config_file(ossec_conf_t)
files_tmp_file(ossec_tmp_t)
# type transition for all
files_tmp_filetrans(ossec_process, ossec_tmp_t, {file dir lnk_file})
filetrans_pattern(ossec_process, ossec_queue_t, ossec_queue_t, {file dir lnk_file sock_file})
filetrans_pattern(ossec_process, ossec_var_t, ossec_var_t, {file dir lnk_file })
filetrans_pattern(ossec_process, ossec_conf_t, ossec_conf_t, {file dir lnk_file })
filetrans_pattern(ossec_process, ossec_tmp_t, ossec_tmp_t, {file dir lnk_file })
# allow ossec agent to read & edit all
read_files_pattern(ossec_process, ossec_conf_t, ossec_conf_t)
admin_pattern(ossec_process, ossec_queue_t, ossec_queue_t)

admin_pattern(ossec_process, ossec_log_t, ossec_log_t)
admin_pattern(ossec_process, ossec_var_t, ossec_var_t)
optional_policy(`
  gen_require(`
    type passwd_file_t, etc_t;
  ')
  read_files_pattern(ossec_process, etc_t, passwd_file_t)
')
allow ossec_process ossec_process:unix_dgram_socket all_unix_dgram_socket_perms;
sysnet_dns_name_resolve(ossec_process)
allow ossec_process self:capability { dac_override setgid setuid sys_chroot };
# for agent
admin_pattern(ossec_agent_t, ossec_conf_t, ossec_conf_t)
admin_pattern(ossec_agent_t, ossec_tmp_t, ossec_tmp_t)

# logcollector read all logs
logging_read_all_logs(ossec_logcollector_t)
logging_read_audit_log(ossec_logcollector_t)
# syscheck read all file
files_read_all_files(ossec_syscheck_t)
allow ossec_syscheck_t self:process setsched;
allow ossec_syscheck_t self:capability sys_nice;
# admin policy
admin_pattern(ossec_admin_t, ossec_conf_t, ossec_conf_t)
admin_pattern(ossec_admin_t, ossec_queue_t, ossec_queue_t)
admin_pattern(ossec_admin_t, ossec_var_t, ossec_var_t)
# allow to kill
allow ossec_admin_t ossec_process:process { signal sigkill ptrace sigstop getattr setrlimit noatsecure };
# for different roles
optional_policy(`
  gen_require(`
    type unconfined_t;
    role unconfined_r;
  ')
  role unconfined_r types ossec_admin_t;
  domtrans_pattern(unconfined_t, ossec_admin_exec_t, ossec_admin_t)
')
optional_policy(`
  gen_require(`
    type sysadm_t;
    role sysadm_r;
  ')
  role sysadm_r types ossec_admin_t;
  domtrans_pattern(sysadm_t, ossec_admin_exec_t, ossec_admin_t)
')
optional_policy(`
  gen_require(`
    type staff_t;
    role staff_r;
  ')
  role staff_r types ossec_admin_t;
  domtrans_pattern(staff_t, ossec_admin_exec_t, ossec_admin_t)
')