rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
a49a82c295
selinux-policy/policy/modules/services/snort.te
Jeremy Solt a49a82c295 snort patch from Dan Walsh 
Didn't rearrange all the kernel calls, but did add the kernel_request_load_module.
Didn't include the usbmod (doesn't exist in refpolicy at this time).
Included the generic usb device permissions because snort uses libpcap, which can also be used to monitor USB traffic, so this may be a side effect.
From the red hat bug (559861), it sounds as though snort was failing without these permissions, so it doesn't look like a dontaudit would work.
2010-04-05 13:46:11 -04:00

117 lines
3.2 KiB
Plaintext
Raw Blame History

policy_module(snort, 1.8.0)
########################################
#
# Declarations
#
type snort_t;
type snort_exec_t;
init_daemon_domain(snort_t, snort_exec_t)
type snort_etc_t;
files_config_file(snort_etc_t)
type snort_initrc_exec_t;
init_script_file(snort_initrc_exec_t)
type snort_log_t;
logging_log_file(snort_log_t)
type snort_tmp_t;
files_tmp_file(snort_tmp_t)
type snort_var_run_t;
files_pid_file(snort_var_run_t)
########################################
#
# Local policy
#
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
allow snort_t self:socket create_socket_perms;
# Snort IPS node. unverified.
allow snort_t self:netlink_firewall_socket { bind create getattr };
allow snort_t snort_etc_t:dir list_dir_perms;
allow snort_t snort_etc_t:file read_file_perms;
allow snort_t snort_etc_t:lnk_file { getattr read };
manage_files_pattern(snort_t, snort_log_t, snort_log_t)
create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
logging_log_filetrans(snort_t, snort_log_t, { file dir })
manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
manage_files_pattern(snort_t, snort_tmp_t, snort_tmp_t)
files_tmp_filetrans(snort_t, snort_tmp_t, { file dir })
manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t)
files_pid_filetrans(snort_t, snort_var_run_t, file)
kernel_read_kernel_sysctls(snort_t)
kernel_read_sysctl(snort_t)
kernel_list_proc(snort_t)
kernel_read_proc_symlinks(snort_t)
kernel_request_load_module(snort_t)
kernel_dontaudit_read_system_state(snort_t)
corenet_all_recvfrom_unlabeled(snort_t)
corenet_all_recvfrom_netlabel(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
corenet_raw_sendrecv_generic_if(snort_t)
corenet_tcp_sendrecv_generic_node(snort_t)
corenet_udp_sendrecv_generic_node(snort_t)
corenet_raw_sendrecv_generic_node(snort_t)
corenet_tcp_sendrecv_all_ports(snort_t)
corenet_udp_sendrecv_all_ports(snort_t)
corenet_tcp_connect_prelude_port(snort_t)
dev_read_sysfs(snort_t)
dev_read_rand(snort_t)
dev_read_urand(snort_t)
# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon
# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect?
dev_rw_generic_usb_dev(snort_t)
domain_use_interactive_fds(snort_t)
files_read_etc_files(snort_t)
files_dontaudit_read_etc_runtime_files(snort_t)
fs_getattr_all_fs(snort_t)
fs_search_auto_mountpoints(snort_t)
init_read_utmp(snort_t)
logging_send_syslog_msg(snort_t)
miscfiles_read_localization(snort_t)
sysnet_read_config(snort_t)
# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
sysnet_dns_name_resolve(snort_t)
userdom_dontaudit_use_unpriv_user_fds(snort_t)
userdom_dontaudit_search_user_home_dirs(snort_t)
optional_policy(`
prelude_manage_spool(snort_t)
')
optional_policy(`
seutil_sigchld_newrole(snort_t)
')
optional_policy(`
udev_read_db(snort_t)
')
Reference in New Issue View Git Blame Copy Permalink