selinux-refpolicy/strict/domains/program/unused/snort.te

34 lines
969 B
Plaintext

#DESC Snort - Network sniffer
#
# Author: Shaun Savage <savages@pcez.com>
# Modified by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: snort-common
#
daemon_domain(snort)
logdir_domain(snort)
allow snort_t snort_log_t:dir create;
can_network_server(snort_t)
type snort_etc_t, file_type, sysadmfile;
# Create temporary files.
tmp_domain(snort)
# use iptable netlink
allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow snort_t self:packet_socket create_socket_perms;
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
r_dir_file(snort_t, snort_etc_t)
allow snort_t etc_t:file { getattr read };
allow snort_t etc_t:lnk_file read;
allow snort_t self:unix_dgram_socket create_socket_perms;
allow snort_t self:unix_stream_socket create_socket_perms;
# for start script
allow initrc_t snort_etc_t:file { getattr read };
dontaudit snort_t { etc_runtime_t proc_t }:file { getattr read };