34 lines
969 B
Plaintext
34 lines
969 B
Plaintext
#DESC Snort - Network sniffer
|
|
#
|
|
# Author: Shaun Savage <savages@pcez.com>
|
|
# Modified by Russell Coker <russell@coker.com.au>
|
|
# X-Debian-Packages: snort-common
|
|
#
|
|
|
|
daemon_domain(snort)
|
|
|
|
logdir_domain(snort)
|
|
allow snort_t snort_log_t:dir create;
|
|
can_network_server(snort_t)
|
|
type snort_etc_t, file_type, sysadmfile;
|
|
|
|
# Create temporary files.
|
|
tmp_domain(snort)
|
|
|
|
# use iptable netlink
|
|
allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
|
allow snort_t self:packet_socket create_socket_perms;
|
|
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
|
|
|
|
r_dir_file(snort_t, snort_etc_t)
|
|
allow snort_t etc_t:file { getattr read };
|
|
allow snort_t etc_t:lnk_file read;
|
|
|
|
allow snort_t self:unix_dgram_socket create_socket_perms;
|
|
allow snort_t self:unix_stream_socket create_socket_perms;
|
|
|
|
# for start script
|
|
allow initrc_t snort_etc_t:file { getattr read };
|
|
|
|
dontaudit snort_t { etc_runtime_t proc_t }:file { getattr read };
|