ossec-hids RPM question

[mntbighker]

I have about 10 servers and all have had ossec installed via the Atomic packages. My most recent install is running CentOS6 with SELinux permissive. I am seeing messages that logrotate was "denied", but in permissive mode it works anyway I presume. Once we switch to enforcing this will probably come to a screeching halt. I asked on the ossec list and they claim that the ossec source has nothing in /etc/logrotate.d, so go talk to the Atomic folks. Hence my note. Apparently they have their own log rotate function? I verified that the Atomic RPM in fact installs an ossec-hids file in /etc/logrotate.d.

[scott]

Indeed it installs this logrotate event:

[root@c6-64 ~]# rpm -qf /etc/logrotate.d/ossec-hids
ossec-hids-2.7-25.el6.art.x86_64

[mntbighker]

So will the RPM get adjusted to provide the correct SELinux context to allow this to work in enforcing mode?

[scott]

If someone submits one absolutely, I dont work on selinux so if you or someone else has a policy they'd like to contribute I'd be happy to include it in the package. We use the more powerful RBAC in grsecurity ourselves. SELinux just isnt powerful enough for our security requirements.

[desmondgc]

For this specific issue (logrotate) you can do:

Code: Select all

semanage fcontext -a -t var_log_t /var/ossec/logs/ossec.log
restorecon -v -F /var/ossec/logs/ossec.log

Everything else seems to work fine in enforcing mode so far.