| 1 |
commit: cd2913c0447477ade591f93034f1c01c15136117 |
| 2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 3 |
AuthorDate: Mon Apr 21 15:08:22 2014 +0000 |
| 4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Apr 27 15:28:22 2014 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cd2913c0 |
| 7 |
|
| 8 |
Snort policy updates |
| 9 |
|
| 10 |
When snort starts up, its init script creates the /var/run/snort directory. |
| 11 |
However, the policy did not have a file transition for this, which results |
| 12 |
in the /var/run/snort directory to be initrc_var_run_t. |
| 13 |
|
| 14 |
By supporting a file transition to snort_var_run_t the PID file can be |
| 15 |
hosted inside its own directory as intended. |
| 16 |
|
| 17 |
Error logs from Snort: |
| 18 |
Apr 9 14:42:45 server snort[1916]: WARNING: /var/run/snort is invalid, |
| 19 |
trying /var/run... |
| 20 |
Apr 9 14:42:45 server snort[1916]: Previous Error, errno=13, |
| 21 |
(Permission denied) |
| 22 |
Apr 9 14:42:45 server snort[1916]: PID path stat checked out ok, PID |
| 23 |
path set to /var/run/ |
| 24 |
|
| 25 |
Second, snort is not able to write to its own log file. It needs the |
| 26 |
write privilege for this (append no longer cuts it) as found through the |
| 27 |
AVC denial. |
| 28 |
|
| 29 |
Error logs from Snort: |
| 30 |
Apr 9 14:42:45 server snort[1916]: FATAL ERROR: spo_unified2.c(320) |
| 31 |
Could not open /var/log/snort//merged.log: Permission denied |
| 32 |
|
| 33 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
| 34 |
|
| 35 |
--- |
| 36 |
policy/modules/contrib/snort.fc | 3 --- |
| 37 |
policy/modules/contrib/snort.te | 3 ++- |
| 38 |
2 files changed, 2 insertions(+), 4 deletions(-) |
| 39 |
|
| 40 |
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc |
| 41 |
index ad73ece..2b1ea6b 100644 |
| 42 |
--- a/policy/modules/contrib/snort.fc |
| 43 |
+++ b/policy/modules/contrib/snort.fc |
| 44 |
@@ -10,7 +10,4 @@ |
| 45 |
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) |
| 46 |
|
| 47 |
/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) |
| 48 |
- |
| 49 |
-ifdef(`distro_gentoo',` |
| 50 |
/var/run/snort(/.*)? gen_context(system_u:object_r:snort_var_run_t,s0) |
| 51 |
-') |
| 52 |
|
| 53 |
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te |
| 54 |
index 44fcaf9..4568977 100644 |
| 55 |
--- a/policy/modules/contrib/snort.te |
| 56 |
+++ b/policy/modules/contrib/snort.te |
| 57 |
@@ -23,6 +23,7 @@ files_tmp_file(snort_tmp_t) |
| 58 |
|
| 59 |
type snort_var_run_t; |
| 60 |
files_pid_file(snort_var_run_t) |
| 61 |
+init_daemon_run_dir(snort_var_run_t, "snort") |
| 62 |
|
| 63 |
######################################## |
| 64 |
# |
| 65 |
@@ -43,9 +44,9 @@ allow snort_t snort_etc_t:file read_file_perms; |
| 66 |
allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; |
| 67 |
|
| 68 |
manage_dirs_pattern(snort_t, snort_log_t, snort_log_t) |
| 69 |
-append_files_pattern(snort_t, snort_log_t, snort_log_t) |
| 70 |
create_files_pattern(snort_t, snort_log_t, snort_log_t) |
| 71 |
setattr_files_pattern(snort_t, snort_log_t, snort_log_t) |
| 72 |
+write_files_pattern(snort_t, snort_log_t, snort_log_t) |
| 73 |
logging_log_filetrans(snort_t, snort_log_t, { file dir }) |
| 74 |
|
| 75 |
manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) |
Archives