1 |
commit: 02f35abc5e36b2965a9ef94e5ebfc917c16b2510 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Sun Oct 28 12:51:27 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Sun Oct 28 17:58:59 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=02f35abc |
7 |
|
8 |
Changes to the snort policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/snort.fc | 5 ++++- |
16 |
policy/modules/contrib/snort.if | 9 +++++---- |
17 |
policy/modules/contrib/snort.te | 25 ++++++++++++------------- |
18 |
3 files changed, 21 insertions(+), 18 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc |
21 |
index cbb7498..24a8e1b 100644 |
22 |
--- a/policy/modules/contrib/snort.fc |
23 |
+++ b/policy/modules/contrib/snort.fc |
24 |
@@ -1,7 +1,10 @@ |
25 |
/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0) |
26 |
+ |
27 |
/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) |
28 |
|
29 |
-/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) |
30 |
+/usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) |
31 |
+ |
32 |
+/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) |
33 |
/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) |
34 |
|
35 |
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) |
36 |
|
37 |
diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if |
38 |
index c117e8b..7d86b34 100644 |
39 |
--- a/policy/modules/contrib/snort.if |
40 |
+++ b/policy/modules/contrib/snort.if |
41 |
@@ -1,4 +1,4 @@ |
42 |
-## <summary>Snort network intrusion detection system</summary> |
43 |
+## <summary>Snort network intrusion detection system.</summary> |
44 |
|
45 |
######################################## |
46 |
## <summary> |
47 |
@@ -15,13 +15,14 @@ interface(`snort_domtrans',` |
48 |
type snort_t, snort_exec_t; |
49 |
') |
50 |
|
51 |
+ corecmd_search_bin($1) |
52 |
domtrans_pattern($1, snort_exec_t, snort_t) |
53 |
') |
54 |
|
55 |
######################################## |
56 |
## <summary> |
57 |
-## All of the rules required to administrate |
58 |
-## an snort environment |
59 |
+## All of the rules required to |
60 |
+## administrate an snort environment. |
61 |
## </summary> |
62 |
## <param name="domain"> |
63 |
## <summary> |
64 |
@@ -30,7 +31,7 @@ interface(`snort_domtrans',` |
65 |
## </param> |
66 |
## <param name="role"> |
67 |
## <summary> |
68 |
-## The role to be allowed to manage the snort domain. |
69 |
+## Role allowed access. |
70 |
## </summary> |
71 |
## </param> |
72 |
## <rolecap/> |
73 |
|
74 |
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te |
75 |
index 179bc1b..ccd28bb 100644 |
76 |
--- a/policy/modules/contrib/snort.te |
77 |
+++ b/policy/modules/contrib/snort.te |
78 |
@@ -1,4 +1,4 @@ |
79 |
-policy_module(snort, 1.10.0) |
80 |
+policy_module(snort, 1.10.1) |
81 |
|
82 |
######################################## |
83 |
# |
84 |
@@ -32,20 +32,20 @@ files_pid_file(snort_var_run_t) |
85 |
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; |
86 |
dontaudit snort_t self:capability sys_tty_config; |
87 |
allow snort_t self:process signal_perms; |
88 |
-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; |
89 |
-allow snort_t self:tcp_socket create_stream_socket_perms; |
90 |
-allow snort_t self:udp_socket create_socket_perms; |
91 |
+allow snort_t self:netlink_socket create_socket_perms; |
92 |
+allow snort_t self:tcp_socket { accept listen }; |
93 |
allow snort_t self:packet_socket create_socket_perms; |
94 |
allow snort_t self:socket create_socket_perms; |
95 |
-# Snort IPS node. unverified. |
96 |
-allow snort_t self:netlink_firewall_socket { bind create getattr }; |
97 |
+allow snort_t self:netlink_firewall_socket create_socket_perms; |
98 |
|
99 |
allow snort_t snort_etc_t:dir list_dir_perms; |
100 |
allow snort_t snort_etc_t:file read_file_perms; |
101 |
-allow snort_t snort_etc_t:lnk_file { getattr read }; |
102 |
+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; |
103 |
|
104 |
-manage_files_pattern(snort_t, snort_log_t, snort_log_t) |
105 |
-create_dirs_pattern(snort_t, snort_log_t, snort_log_t) |
106 |
+manage_dirs_pattern(snort_t, snort_log_t, snort_log_t) |
107 |
+append_files_pattern(snort_t, snort_log_t, snort_log_t) |
108 |
+create_files_pattern(snort_t, snort_log_t, snort_log_t) |
109 |
+setattr_files_pattern(snort_t, snort_log_t, snort_log_t) |
110 |
logging_log_filetrans(snort_t, snort_log_t, { file dir }) |
111 |
|
112 |
manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) |
113 |
@@ -73,14 +73,15 @@ corenet_udp_sendrecv_generic_node(snort_t) |
114 |
corenet_raw_sendrecv_generic_node(snort_t) |
115 |
corenet_tcp_sendrecv_all_ports(snort_t) |
116 |
corenet_udp_sendrecv_all_ports(snort_t) |
117 |
+ |
118 |
+corenet_sendrecv_prelude_client_packets(snort_t) |
119 |
corenet_tcp_connect_prelude_port(snort_t) |
120 |
+corenet_tcp_sendrecv_prelude_port(snort_t) |
121 |
|
122 |
dev_read_sysfs(snort_t) |
123 |
dev_read_rand(snort_t) |
124 |
dev_read_urand(snort_t) |
125 |
dev_read_usbmon_dev(snort_t) |
126 |
-# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon |
127 |
-# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect? |
128 |
dev_rw_generic_usb_dev(snort_t) |
129 |
|
130 |
domain_use_interactive_fds(snort_t) |
131 |
@@ -97,8 +98,6 @@ logging_send_syslog_msg(snort_t) |
132 |
|
133 |
miscfiles_read_localization(snort_t) |
134 |
|
135 |
-sysnet_read_config(snort_t) |
136 |
-# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager |
137 |
sysnet_dns_name_resolve(snort_t) |
138 |
|
139 |
userdom_dontaudit_use_unpriv_user_fds(snort_t) |