[selinux-policy: 2177/3172] snort patch from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:13:25 UTC 2010 

commit ebf3ec9063e5dae87af376cae497820a2b808ad5
Author: Chris PeBenito <pebenito at gentoo.org>
Date:   Mon Jul 27 16:04:10 2009 -0400

    snort patch from dan.

 policy/modules/services/snort.if |    2 +-
 policy/modules/services/snort.te |   10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
index 170da36..c117e8b 100644
--- a/policy/modules/services/snort.if
+++ b/policy/modules/services/snort.if
@@ -38,7 +38,7 @@ interface(`snort_domtrans',`
 interface(`snort_admin',`
 	gen_require(`
 		type snort_t, snort_var_run_t, snort_log_t;
-		type snort_initrc_exec_t;
+		type snort_etc_t, snort_initrc_exec_t;
 	')
 
 	allow $1 snort_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index ab03809..5b13b97 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -1,5 +1,5 @@
 
-policy_module(snort, 1.7.1)
+policy_module(snort, 1.7.2)
 
 ########################################
 #
@@ -56,6 +56,7 @@ manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t)
 files_pid_filetrans(snort_t, snort_var_run_t, file)
 
 kernel_read_kernel_sysctls(snort_t)
+kernel_read_sysctl(snort_t)
 kernel_list_proc(snort_t)
 kernel_read_proc_symlinks(snort_t)
 kernel_dontaudit_read_system_state(snort_t)
@@ -70,6 +71,7 @@ corenet_udp_sendrecv_generic_node(snort_t)
 corenet_raw_sendrecv_generic_node(snort_t)
 corenet_tcp_sendrecv_all_ports(snort_t)
 corenet_udp_sendrecv_all_ports(snort_t)
+corenet_tcp_connect_prelude_port(snort_t)
 
 dev_read_sysfs(snort_t)
 dev_read_rand(snort_t)
@@ -90,11 +92,17 @@ logging_send_syslog_msg(snort_t)
 miscfiles_read_localization(snort_t)
 
 sysnet_read_config(snort_t)
+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
+sysnet_dns_name_resolve(snort_t)
 
 userdom_dontaudit_use_unpriv_user_fds(snort_t)
 userdom_dontaudit_search_user_home_dirs(snort_t)
 
 optional_policy(`
+	prelude_manage_spool(snort_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(snort_t)
 ')

More information about the scm-commits mailing list