snort patch from Dan Walsh

Didn't rearrange all the kernel calls, but did add the kernel_request_load_module.
Didn't include the usbmod (doesn't exist in refpolicy at this time).
Included the generic usb device permissions because snort uses libpcap, which can also be used to monitor USB traffic, so this may be a side effect.
From the red hat bug (559861), it sounds as though snort was failing without these permissions, so it doesn't look like a dontaudit would work.
This commit is contained in:
Jeremy Solt 2010-03-31 14:16:34 -04:00 committed by Chris PeBenito
parent f8b3b7fa48
commit a49a82c295
1 changed files with 5 additions and 0 deletions

View File

@ -37,6 +37,7 @@ allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read wr
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
allow snort_t self:socket create_socket_perms;
# Snort IPS node. unverified.
allow snort_t self:netlink_firewall_socket { bind create getattr };
@ -59,6 +60,7 @@ kernel_read_kernel_sysctls(snort_t)
kernel_read_sysctl(snort_t)
kernel_list_proc(snort_t)
kernel_read_proc_symlinks(snort_t)
kernel_request_load_module(snort_t)
kernel_dontaudit_read_system_state(snort_t)
corenet_all_recvfrom_unlabeled(snort_t)
@ -76,6 +78,9 @@ corenet_tcp_connect_prelude_port(snort_t)
dev_read_sysfs(snort_t)
dev_read_rand(snort_t)
dev_read_urand(snort_t)
# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon
# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect?
dev_rw_generic_usb_dev(snort_t)
domain_use_interactive_fds(snort_t)