[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Sun, 28 Oct 2012 18:02:44
Message-Id:	`1351447139.02f35abc5e36b2965a9ef94e5ebfc917c16b2510.SwifT@gentoo`

1

commit:     02f35abc5e36b2965a9ef94e5ebfc917c16b2510

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Sun Oct 28 12:51:27 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Sun Oct 28 17:58:59 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=02f35abc

7

8

Changes to the snort policy module

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/snort.fc |    5 ++++-

16

 policy/modules/contrib/snort.if |    9 +++++----

17

 policy/modules/contrib/snort.te |   25 ++++++++++++-------------

18

 3 files changed, 21 insertions(+), 18 deletions(-)

19

20

diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc

21

index cbb7498..24a8e1b 100644

22

--- a/policy/modules/contrib/snort.fc

23

+++ b/policy/modules/contrib/snort.fc

24

@@ -1,7 +1,10 @@

25

 /etc/rc\.d/init\.d/snortd	--	gen_context(system_u:object_r:snort_initrc_exec_t,s0)

26

+

27

 /etc/snort(/.*)?	gen_context(system_u:object_r:snort_etc_t,s0)

28

29

-/usr/s?bin/snort	--	gen_context(system_u:object_r:snort_exec_t,s0)

30

+/usr/bin/snort	--	gen_context(system_u:object_r:snort_exec_t,s0)

31

+

32

+/usr/sbin/snort	--	gen_context(system_u:object_r:snort_exec_t,s0)

33

 /usr/sbin/snort-plain	--	gen_context(system_u:object_r:snort_exec_t,s0)

34

35

 /var/log/snort(/.*)?	gen_context(system_u:object_r:snort_log_t,s0)

36

37

diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if

38

index c117e8b..7d86b34 100644

39

--- a/policy/modules/contrib/snort.if

40

+++ b/policy/modules/contrib/snort.if

41

@@ -1,4 +1,4 @@

42

-## <summary>Snort network intrusion detection system</summary>

43

+## <summary>Snort network intrusion detection system.</summary>

44

45

 ########################################

46

 ## <summary>

47

@@ -15,13 +15,14 @@ interface(`snort_domtrans',`

48

 		type snort_t, snort_exec_t;

49

')

50

51

+	corecmd_search_bin($1)

52

 	domtrans_pattern($1, snort_exec_t, snort_t)

53

')

54

55

 ########################################

56

 ## <summary>

57

-##	All of the rules required to administrate 

58

-##	an snort environment

59

+##	All of the rules required to

60

+##	administrate an snort environment.

61

 ## </summary>

62

 ## <param name="domain">

63

 ##	<summary>

64

@@ -30,7 +31,7 @@ interface(`snort_domtrans',`

65

 ## </param>

66

 ## <param name="role">

67

 ##	<summary>

68

-##	The role to be allowed to manage the snort domain.

69

+##	Role allowed access.

70

 ##	</summary>

71

 ## </param>

72

 ## <rolecap/>

73

74

diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te

75

index 179bc1b..ccd28bb 100644

76

--- a/policy/modules/contrib/snort.te

77

+++ b/policy/modules/contrib/snort.te

78

@@ -1,4 +1,4 @@

79

-policy_module(snort, 1.10.0)

80

+policy_module(snort, 1.10.1)

81

82

 ########################################

83

#

84

@@ -32,20 +32,20 @@ files_pid_file(snort_var_run_t)

85

 allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };

86

 dontaudit snort_t self:capability sys_tty_config;

87

 allow snort_t self:process signal_perms;

88

-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };

89

-allow snort_t self:tcp_socket create_stream_socket_perms;

90

-allow snort_t self:udp_socket create_socket_perms;

91

+allow snort_t self:netlink_socket create_socket_perms;

92

+allow snort_t self:tcp_socket { accept listen };

93

 allow snort_t self:packet_socket create_socket_perms;

94

 allow snort_t self:socket create_socket_perms;

95

-# Snort IPS node. unverified.

96

-allow snort_t self:netlink_firewall_socket { bind create getattr };

97

+allow snort_t self:netlink_firewall_socket create_socket_perms;

98

99

 allow snort_t snort_etc_t:dir list_dir_perms;

100

 allow snort_t snort_etc_t:file read_file_perms;

101

-allow snort_t snort_etc_t:lnk_file { getattr read };

102

+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;

103

104

-manage_files_pattern(snort_t, snort_log_t, snort_log_t)

105

-create_dirs_pattern(snort_t, snort_log_t, snort_log_t)

106

+manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)

107

+append_files_pattern(snort_t, snort_log_t, snort_log_t)

108

+create_files_pattern(snort_t, snort_log_t, snort_log_t)

109

+setattr_files_pattern(snort_t, snort_log_t, snort_log_t)

110

 logging_log_filetrans(snort_t, snort_log_t, { file dir })

111

112

 manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)

113

@@ -73,14 +73,15 @@ corenet_udp_sendrecv_generic_node(snort_t)

114

 corenet_raw_sendrecv_generic_node(snort_t)

115

 corenet_tcp_sendrecv_all_ports(snort_t)

116

 corenet_udp_sendrecv_all_ports(snort_t)

117

+

118

+corenet_sendrecv_prelude_client_packets(snort_t)

119

 corenet_tcp_connect_prelude_port(snort_t)

120

+corenet_tcp_sendrecv_prelude_port(snort_t)

121

122

 dev_read_sysfs(snort_t)

123

 dev_read_rand(snort_t)

124

 dev_read_urand(snort_t)

125

 dev_read_usbmon_dev(snort_t)

126

-# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon

127

-# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect?

128

 dev_rw_generic_usb_dev(snort_t)

129

130

 domain_use_interactive_fds(snort_t)

131

@@ -97,8 +98,6 @@ logging_send_syslog_msg(snort_t)

132

133

 miscfiles_read_localization(snort_t)

134

135

-sysnet_read_config(snort_t)

136

-# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager

137

 sysnet_dns_name_resolve(snort_t)

138

139

 userdom_dontaudit_use_unpriv_user_fds(snort_t)

1	commit: 02f35abc5e36b2965a9ef94e5ebfc917c16b2510
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Sun Oct 28 12:51:27 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Sun Oct 28 17:58:59 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=02f35abc
7
8	Changes to the snort policy module
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/snort.fc \| 5 ++++-
16	policy/modules/contrib/snort.if \| 9 +++++----
17	policy/modules/contrib/snort.te \| 25 ++++++++++++-------------
18	3 files changed, 21 insertions(+), 18 deletions(-)
19
20	diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
21	index cbb7498..24a8e1b 100644
22	--- a/policy/modules/contrib/snort.fc
23	+++ b/policy/modules/contrib/snort.fc
24	@@ -1,7 +1,10 @@
25	/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0)
26	+
27	/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
28
29	-/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
30	+/usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
31	+
32	+/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
33	/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
34
35	/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
36
37	diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if
38	index c117e8b..7d86b34 100644
39	--- a/policy/modules/contrib/snort.if
40	+++ b/policy/modules/contrib/snort.if
41	@@ -1,4 +1,4 @@
42	-## <summary>Snort network intrusion detection system</summary>
43	+## <summary>Snort network intrusion detection system.</summary>
44
45	########################################
46	## <summary>
47	@@ -15,13 +15,14 @@ interface(`snort_domtrans',`
48	type snort_t, snort_exec_t;
49	')
50
51	+ corecmd_search_bin($1)
52	domtrans_pattern($1, snort_exec_t, snort_t)
53	')
54
55	########################################
56	## <summary>
57	-## All of the rules required to administrate
58	-## an snort environment
59	+## All of the rules required to
60	+## administrate an snort environment.
61	## </summary>
62	## <param name="domain">
63	## <summary>
64	@@ -30,7 +31,7 @@ interface(`snort_domtrans',`
65	## </param>
66	## <param name="role">
67	## <summary>
68	-## The role to be allowed to manage the snort domain.
69	+## Role allowed access.
70	## </summary>
71	## </param>
72	## <rolecap/>
73
74	diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
75	index 179bc1b..ccd28bb 100644
76	--- a/policy/modules/contrib/snort.te
77	+++ b/policy/modules/contrib/snort.te
78	@@ -1,4 +1,4 @@
79	-policy_module(snort, 1.10.0)
80	+policy_module(snort, 1.10.1)
81
82	########################################
83	#
84	@@ -32,20 +32,20 @@ files_pid_file(snort_var_run_t)
85	allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
86	dontaudit snort_t self:capability sys_tty_config;
87	allow snort_t self:process signal_perms;
88	-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
89	-allow snort_t self:tcp_socket create_stream_socket_perms;
90	-allow snort_t self:udp_socket create_socket_perms;
91	+allow snort_t self:netlink_socket create_socket_perms;
92	+allow snort_t self:tcp_socket { accept listen };
93	allow snort_t self:packet_socket create_socket_perms;
94	allow snort_t self:socket create_socket_perms;
95	-# Snort IPS node. unverified.
96	-allow snort_t self:netlink_firewall_socket { bind create getattr };
97	+allow snort_t self:netlink_firewall_socket create_socket_perms;
98
99	allow snort_t snort_etc_t:dir list_dir_perms;
100	allow snort_t snort_etc_t:file read_file_perms;
101	-allow snort_t snort_etc_t:lnk_file { getattr read };
102	+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
103
104	-manage_files_pattern(snort_t, snort_log_t, snort_log_t)
105	-create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
106	+manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
107	+append_files_pattern(snort_t, snort_log_t, snort_log_t)
108	+create_files_pattern(snort_t, snort_log_t, snort_log_t)
109	+setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
110	logging_log_filetrans(snort_t, snort_log_t, { file dir })
111
112	manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
113	@@ -73,14 +73,15 @@ corenet_udp_sendrecv_generic_node(snort_t)
114	corenet_raw_sendrecv_generic_node(snort_t)
115	corenet_tcp_sendrecv_all_ports(snort_t)
116	corenet_udp_sendrecv_all_ports(snort_t)
117	+
118	+corenet_sendrecv_prelude_client_packets(snort_t)
119	corenet_tcp_connect_prelude_port(snort_t)
120	+corenet_tcp_sendrecv_prelude_port(snort_t)
121
122	dev_read_sysfs(snort_t)
123	dev_read_rand(snort_t)
124	dev_read_urand(snort_t)
125	dev_read_usbmon_dev(snort_t)
126	-# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon
127	-# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect?
128	dev_rw_generic_usb_dev(snort_t)
129
130	domain_use_interactive_fds(snort_t)
131	@@ -97,8 +98,6 @@ logging_send_syslog_msg(snort_t)
132
133	miscfiles_read_localization(snort_t)
134
135	-sysnet_read_config(snort_t)
136	-# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
137	sysnet_dns_name_resolve(snort_t)
138
139	userdom_dontaudit_use_unpriv_user_fds(snort_t)

Gentoo Archives: gentoo-commits