[selinux-policy: 2599/3172] snort patch from Dan Walsh

[Daniel J Walsh]

commit a49a82c295a3651001949fa7664360c1e811d06a
Author: Jeremy Solt <jsolt at tresys.com>
Date:   Wed Mar 31 14:16:34 2010 -0400

    snort patch from Dan Walsh
    
    Didn't rearrange all the kernel calls, but did add the kernel_request_load_module.
    Didn't include the usbmod (doesn't exist in refpolicy at this time).
    Included the generic usb device permissions because snort uses libpcap, which can also be used to monitor USB traffic, so this may be a side effect.
    From the red hat bug (559861), it sounds as though snort was failing without these permissions, so it doesn't look like a dontaudit would work.

 policy/modules/services/snort.te |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)
---
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index 70f240c..c1a806f 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -37,6 +37,7 @@ allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read wr
 allow snort_t self:tcp_socket create_stream_socket_perms;
 allow snort_t self:udp_socket create_socket_perms;
 allow snort_t self:packet_socket create_socket_perms;
+allow snort_t self:socket create_socket_perms;
 # Snort IPS node. unverified.
 allow snort_t self:netlink_firewall_socket { bind create getattr };
 
@@ -59,6 +60,7 @@ kernel_read_kernel_sysctls(snort_t)
 kernel_read_sysctl(snort_t)
 kernel_list_proc(snort_t)
 kernel_read_proc_symlinks(snort_t)
+kernel_request_load_module(snort_t)
 kernel_dontaudit_read_system_state(snort_t)
 
 corenet_all_recvfrom_unlabeled(snort_t)
@@ -76,6 +78,9 @@ corenet_tcp_connect_prelude_port(snort_t)
 dev_read_sysfs(snort_t)
 dev_read_rand(snort_t)
 dev_read_urand(snort_t)
+# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon
+# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect?
+dev_rw_generic_usb_dev(snort_t)
 
 domain_use_interactive_fds(snort_t)