[selinux-policy: 2177/3172] snort patch from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:13:25 UTC 2010
commit ebf3ec9063e5dae87af376cae497820a2b808ad5
Author: Chris PeBenito <pebenito at gentoo.org>
Date: Mon Jul 27 16:04:10 2009 -0400
snort patch from dan.
policy/modules/services/snort.if | 2 +-
policy/modules/services/snort.te | 10 +++++++++-
2 files changed, 10 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
index 170da36..c117e8b 100644
--- a/policy/modules/services/snort.if
+++ b/policy/modules/services/snort.if
@@ -38,7 +38,7 @@ interface(`snort_domtrans',`
interface(`snort_admin',`
gen_require(`
type snort_t, snort_var_run_t, snort_log_t;
- type snort_initrc_exec_t;
+ type snort_etc_t, snort_initrc_exec_t;
')
allow $1 snort_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index ab03809..5b13b97 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -1,5 +1,5 @@
-policy_module(snort, 1.7.1)
+policy_module(snort, 1.7.2)
########################################
#
@@ -56,6 +56,7 @@ manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t)
files_pid_filetrans(snort_t, snort_var_run_t, file)
kernel_read_kernel_sysctls(snort_t)
+kernel_read_sysctl(snort_t)
kernel_list_proc(snort_t)
kernel_read_proc_symlinks(snort_t)
kernel_dontaudit_read_system_state(snort_t)
@@ -70,6 +71,7 @@ corenet_udp_sendrecv_generic_node(snort_t)
corenet_raw_sendrecv_generic_node(snort_t)
corenet_tcp_sendrecv_all_ports(snort_t)
corenet_udp_sendrecv_all_ports(snort_t)
+corenet_tcp_connect_prelude_port(snort_t)
dev_read_sysfs(snort_t)
dev_read_rand(snort_t)
@@ -90,11 +92,17 @@ logging_send_syslog_msg(snort_t)
miscfiles_read_localization(snort_t)
sysnet_read_config(snort_t)
+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
+sysnet_dns_name_resolve(snort_t)
userdom_dontaudit_use_unpriv_user_fds(snort_t)
userdom_dontaudit_search_user_home_dirs(snort_t)
optional_policy(`
+ prelude_manage_spool(snort_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(snort_t)
')
More information about the scm-commits
mailing list