--- /dev/null
+policy_module(ossec_agent, 1.0.4)
+# selinux module for OSSEC (tm) agent
+# (C) Ivan Agarkov, 2017
+# exec file types
+type ossec_agent_exec_t;
+type ossec_exec_exec_t;
+type ossec_logcollector_exec_t;
+type ossec_syscheck_exec_t;
+type ossec_admin_exec_t;
+# data file types
+type ossec_log_t; # logs/
+type ossec_conf_t; # /etc
+type ossec_queue_t; # /queue
+type ossec_tmp_t; # /tmp
+type ossec_var_t; # /var
+# process attributes
+attribute ossec_process;
+# process types
+type ossec_agent_t, ossec_process;
+type ossec_exec_t, ossec_process;
+type ossec_logcollector_t, ossec_process;
+type ossec_syscheck_t, ossec_process;
+type ossec_admin_t;
+
+# types definitions
+init_daemon_domain(ossec_agent_t, ossec_agent_exec_t)
+init_daemon_domain(ossec_logcollector_t, ossec_logcollector_exec_t)
+init_daemon_domain(ossec_syscheck_t, ossec_syscheck_exec_t)
+init_daemon_domain(ossec_exec_t, ossec_exec_exec_t)
+application_domain(ossec_admin_t, ossec_admin_exec_t)
+
+files_type(ossec_queue_t)
+files_type(ossec_var_t)
+logging_log_file(ossec_log_t)
+files_config_file(ossec_conf_t)
+files_tmp_file(ossec_tmp_t)
+# type transition for all
+files_tmp_filetrans(ossec_process, ossec_tmp_t, {file dir lnk_file})
+filetrans_pattern(ossec_process, ossec_queue_t, ossec_queue_t, {file dir lnk_file sock_file})
+filetrans_pattern(ossec_process, ossec_var_t, ossec_var_t, {file dir lnk_file })
+filetrans_pattern(ossec_process, ossec_conf_t, ossec_conf_t, {file dir lnk_file })
+filetrans_pattern(ossec_process, ossec_tmp_t, ossec_tmp_t, {file dir lnk_file })
+# allow ossec agent to read & edit all
+read_files_pattern(ossec_process, ossec_conf_t, ossec_conf_t)
+admin_pattern(ossec_process, ossec_queue_t, ossec_queue_t)
+
+admin_pattern(ossec_process, ossec_log_t, ossec_log_t)
+admin_pattern(ossec_process, ossec_var_t, ossec_var_t)
+optional_policy(`
+ gen_require(`
+ type passwd_file_t, etc_t;
+ ')
+ read_files_pattern(ossec_process, etc_t, passwd_file_t)
+')
+allow ossec_process ossec_process:unix_dgram_socket all_unix_dgram_socket_perms;
+sysnet_dns_name_resolve(ossec_process)
+allow ossec_process self:capability { dac_override setgid setuid sys_chroot };
+# for agent
+admin_pattern(ossec_agent_t, ossec_conf_t, ossec_conf_t)
+admin_pattern(ossec_agent_t, ossec_tmp_t, ossec_tmp_t)
+
+# logcollector read all logs
+logging_read_all_logs(ossec_logcollector_t)
+logging_read_audit_log(ossec_logcollector_t)
+# syscheck read all file
+files_read_all_files(ossec_syscheck_t)
+allow ossec_syscheck_t self:process setsched;
+allow ossec_syscheck_t self:capability sys_nice;
+# admin policy
+admin_pattern(ossec_admin_t, ossec_conf_t, ossec_conf_t)
+admin_pattern(ossec_admin_t, ossec_queue_t, ossec_queue_t)
+admin_pattern(ossec_admin_t, ossec_var_t, ossec_var_t)
+# allow to kill
+allow ossec_admin_t ossec_process:process { signal sigkill ptrace sigstop getattr setrlimit noatsecure };
+# for different roles
+optional_policy(`
+ gen_require(`
+ type unconfined_t;
+ role unconfined_r;
+ ')
+ role unconfined_r types ossec_admin_t;
+ domtrans_pattern(unconfined_t, ossec_admin_exec_t, ossec_admin_t)
+')
+optional_policy(`
+ gen_require(`
+ type sysadm_t;
+ role sysadm_r;
+ ')
+ role sysadm_r types ossec_admin_t;
+ domtrans_pattern(sysadm_t, ossec_admin_exec_t, ossec_admin_t)
+')
+optional_policy(`
+ gen_require(`
+ type staff_t;
+ role staff_r;
+ ')
+ role staff_r types ossec_admin_t;
+ domtrans_pattern(staff_t, ossec_admin_exec_t, ossec_admin_t)
+')
+
projects / ossec-hids.git / blobdiff