1 |
commit: cd2913c0447477ade591f93034f1c01c15136117 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Mon Apr 21 15:08:22 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Apr 27 15:28:22 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cd2913c0 |
7 |
|
8 |
Snort policy updates |
9 |
|
10 |
When snort starts up, its init script creates the /var/run/snort directory. |
11 |
However, the policy did not have a file transition for this, which results |
12 |
in the /var/run/snort directory to be initrc_var_run_t. |
13 |
|
14 |
By supporting a file transition to snort_var_run_t the PID file can be |
15 |
hosted inside its own directory as intended. |
16 |
|
17 |
Error logs from Snort: |
18 |
Apr 9 14:42:45 server snort[1916]: WARNING: /var/run/snort is invalid, |
19 |
trying /var/run... |
20 |
Apr 9 14:42:45 server snort[1916]: Previous Error, errno=13, |
21 |
(Permission denied) |
22 |
Apr 9 14:42:45 server snort[1916]: PID path stat checked out ok, PID |
23 |
path set to /var/run/ |
24 |
|
25 |
Second, snort is not able to write to its own log file. It needs the |
26 |
write privilege for this (append no longer cuts it) as found through the |
27 |
AVC denial. |
28 |
|
29 |
Error logs from Snort: |
30 |
Apr 9 14:42:45 server snort[1916]: FATAL ERROR: spo_unified2.c(320) |
31 |
Could not open /var/log/snort//merged.log: Permission denied |
32 |
|
33 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
34 |
|
35 |
--- |
36 |
policy/modules/contrib/snort.fc | 3 --- |
37 |
policy/modules/contrib/snort.te | 3 ++- |
38 |
2 files changed, 2 insertions(+), 4 deletions(-) |
39 |
|
40 |
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc |
41 |
index ad73ece..2b1ea6b 100644 |
42 |
--- a/policy/modules/contrib/snort.fc |
43 |
+++ b/policy/modules/contrib/snort.fc |
44 |
@@ -10,7 +10,4 @@ |
45 |
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) |
46 |
|
47 |
/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) |
48 |
- |
49 |
-ifdef(`distro_gentoo',` |
50 |
/var/run/snort(/.*)? gen_context(system_u:object_r:snort_var_run_t,s0) |
51 |
-') |
52 |
|
53 |
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te |
54 |
index 44fcaf9..4568977 100644 |
55 |
--- a/policy/modules/contrib/snort.te |
56 |
+++ b/policy/modules/contrib/snort.te |
57 |
@@ -23,6 +23,7 @@ files_tmp_file(snort_tmp_t) |
58 |
|
59 |
type snort_var_run_t; |
60 |
files_pid_file(snort_var_run_t) |
61 |
+init_daemon_run_dir(snort_var_run_t, "snort") |
62 |
|
63 |
######################################## |
64 |
# |
65 |
@@ -43,9 +44,9 @@ allow snort_t snort_etc_t:file read_file_perms; |
66 |
allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; |
67 |
|
68 |
manage_dirs_pattern(snort_t, snort_log_t, snort_log_t) |
69 |
-append_files_pattern(snort_t, snort_log_t, snort_log_t) |
70 |
create_files_pattern(snort_t, snort_log_t, snort_log_t) |
71 |
setattr_files_pattern(snort_t, snort_log_t, snort_log_t) |
72 |
+write_files_pattern(snort_t, snort_log_t, snort_log_t) |
73 |
logging_log_filetrans(snort_t, snort_log_t, { file dir }) |
74 |
|
75 |
manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) |