[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Sat, 12 Apr 2014 06:39:11 -0700 

commit:     eb72a1a6cf9947aebd0d5df523c180ef0cfa6446
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Apr 12 13:37:06 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Apr 12 13:37:06 2014 +0000
URL:        
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eb72a1a6

Snort policy updates

When snort starts up, its init script creates the /var/run/snort directory.
However, the policy did not have a file transition for this, which results
in the /var/run/snort directory to be initrc_var_run_t.

By supporting a file transition to snort_var_run_t the PID file can be
hosted inside its own directory as intended.

Error logs from Snort:
Apr  9 14:42:45 server snort[1916]: WARNING: /var/run/snort is invalid,
trying /var/run...
Apr  9 14:42:45 server snort[1916]: Previous Error, errno=13,
(Permission denied)
Apr  9 14:42:45 server snort[1916]: PID path stat checked out ok, PID
path set to /var/run/

Second, snort is not able to write to its own log file. It needs the
write privilege for this (append no longer cuts it) as found through the
AVC denial.

Error logs from Snort:
Apr  9 14:42:45 server snort[1916]: FATAL ERROR: spo_unified2.c(320)
Could not open /var/log/snort//merged.log: Permission denied

Reported-by: sgnut <sgnut@freenode>

---
 policy/modules/contrib/snort.fc |  4 ++++
 policy/modules/contrib/snort.te | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
index 591b9a1..ad73ece 100644
--- a/policy/modules/contrib/snort.fc
+++ b/policy/modules/contrib/snort.fc
@@ -10,3 +10,7 @@
 /var/log/snort(/.*)?   gen_context(system_u:object_r:snort_log_t,s0)
 
 /var/run/snort.*       --      
gen_context(system_u:object_r:snort_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/run/snort(/.*)?   gen_context(system_u:object_r:snort_var_run_t,s0)
+')

diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 1af72df..44fcaf9 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -114,3 +114,15 @@ optional_policy(`
 optional_policy(`
        udev_read_db(snort_t)
 ')
+
+ifdef(`distro_gentoo',`
+       ##########################################
+       #
+       # Local policy
+       #
+       # Reported through IRC - needs write, append is not enough
+       allow snort_t snort_log_t:file write_file_perms;
+
+       # Init creates /var/run/snort if it does not exist yet
+       init_daemon_run_dir(snort_var_run_t, "snort")
+')

Reply via email to