From a49a82c295a3651001949fa7664360c1e811d06a Mon Sep 17 00:00:00 2001 From: Jeremy Solt Date: Wed, 31 Mar 2010 14:16:34 -0400 Subject: [PATCH] snort patch from Dan Walsh Didn't rearrange all the kernel calls, but did add the kernel_request_load_module. Didn't include the usbmod (doesn't exist in refpolicy at this time). Included the generic usb device permissions because snort uses libpcap, which can also be used to monitor USB traffic, so this may be a side effect. From the red hat bug (559861), it sounds as though snort was failing without these permissions, so it doesn't look like a dontaudit would work. --- policy/modules/services/snort.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te index 70f240c67..c1a806fd3 100644 --- a/policy/modules/services/snort.te +++ b/policy/modules/services/snort.te @@ -37,6 +37,7 @@ allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read wr allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; allow snort_t self:packet_socket create_socket_perms; +allow snort_t self:socket create_socket_perms; # Snort IPS node. unverified. allow snort_t self:netlink_firewall_socket { bind create getattr }; @@ -59,6 +60,7 @@ kernel_read_kernel_sysctls(snort_t) kernel_read_sysctl(snort_t) kernel_list_proc(snort_t) kernel_read_proc_symlinks(snort_t) +kernel_request_load_module(snort_t) kernel_dontaudit_read_system_state(snort_t) corenet_all_recvfrom_unlabeled(snort_t) @@ -76,6 +78,9 @@ corenet_tcp_connect_prelude_port(snort_t) dev_read_sysfs(snort_t) dev_read_rand(snort_t) dev_read_urand(snort_t) +# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon +# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect? +dev_rw_generic_usb_dev(snort_t) domain_use_interactive_fds(snort_t)