1 policy_module(ossec_agent, 1.0.4)
2 # selinux module for OSSEC (tm) agent
3 # (C) Ivan Agarkov, 2017
5 type ossec_agent_exec_t;
6 type ossec_exec_exec_t;
7 type ossec_logcollector_exec_t;
8 type ossec_syscheck_exec_t;
9 type ossec_admin_exec_t;
11 type ossec_log_t; # logs/
12 type ossec_conf_t; # /etc
13 type ossec_queue_t; # /queue
14 type ossec_tmp_t; # /tmp
15 type ossec_var_t; # /var
17 attribute ossec_process;
19 type ossec_agent_t, ossec_process;
20 type ossec_exec_t, ossec_process;
21 type ossec_logcollector_t, ossec_process;
22 type ossec_syscheck_t, ossec_process;
26 init_daemon_domain(ossec_agent_t, ossec_agent_exec_t)
27 init_daemon_domain(ossec_logcollector_t, ossec_logcollector_exec_t)
28 init_daemon_domain(ossec_syscheck_t, ossec_syscheck_exec_t)
29 init_daemon_domain(ossec_exec_t, ossec_exec_exec_t)
30 application_domain(ossec_admin_t, ossec_admin_exec_t)
32 files_type(ossec_queue_t)
33 files_type(ossec_var_t)
34 logging_log_file(ossec_log_t)
35 files_config_file(ossec_conf_t)
36 files_tmp_file(ossec_tmp_t)
37 # type transition for all
38 files_tmp_filetrans(ossec_process, ossec_tmp_t, {file dir lnk_file})
39 filetrans_pattern(ossec_process, ossec_queue_t, ossec_queue_t, {file dir lnk_file sock_file})
40 filetrans_pattern(ossec_process, ossec_var_t, ossec_var_t, {file dir lnk_file })
41 filetrans_pattern(ossec_process, ossec_conf_t, ossec_conf_t, {file dir lnk_file })
42 filetrans_pattern(ossec_process, ossec_tmp_t, ossec_tmp_t, {file dir lnk_file })
43 # allow ossec agent to read & edit all
44 read_files_pattern(ossec_process, ossec_conf_t, ossec_conf_t)
45 admin_pattern(ossec_process, ossec_queue_t, ossec_queue_t)
47 admin_pattern(ossec_process, ossec_log_t, ossec_log_t)
48 admin_pattern(ossec_process, ossec_var_t, ossec_var_t)
51 type passwd_file_t, etc_t;
53 read_files_pattern(ossec_process, etc_t, passwd_file_t)
55 allow ossec_process ossec_process:unix_dgram_socket all_unix_dgram_socket_perms;
56 sysnet_dns_name_resolve(ossec_process)
57 allow ossec_process self:capability { dac_override setgid setuid sys_chroot };
59 admin_pattern(ossec_agent_t, ossec_conf_t, ossec_conf_t)
60 admin_pattern(ossec_agent_t, ossec_tmp_t, ossec_tmp_t)
62 # logcollector read all logs
63 logging_read_all_logs(ossec_logcollector_t)
64 logging_read_audit_log(ossec_logcollector_t)
65 # syscheck read all file
66 files_read_all_files(ossec_syscheck_t)
67 allow ossec_syscheck_t self:process setsched;
68 allow ossec_syscheck_t self:capability sys_nice;
70 admin_pattern(ossec_admin_t, ossec_conf_t, ossec_conf_t)
71 admin_pattern(ossec_admin_t, ossec_queue_t, ossec_queue_t)
72 admin_pattern(ossec_admin_t, ossec_var_t, ossec_var_t)
74 allow ossec_admin_t ossec_process:process { signal sigkill ptrace sigstop getattr setrlimit noatsecure };
81 role unconfined_r types ossec_admin_t;
82 domtrans_pattern(unconfined_t, ossec_admin_exec_t, ossec_admin_t)
89 role sysadm_r types ossec_admin_t;
90 domtrans_pattern(sysadm_t, ossec_admin_exec_t, ossec_admin_t)
97 role staff_r types ossec_admin_t;
98 domtrans_pattern(staff_t, ossec_admin_exec_t, ossec_admin_t)