Snort policy updates

When snort starts up, its init script creates the /var/run/snort directory.
However, the policy did not have a file transition for this, which results
in the /var/run/snort directory to be initrc_var_run_t.

By supporting a file transition to snort_var_run_t the PID file can be
hosted inside its own directory as intended.

Error logs from Snort:
Apr  9 14:42:45 server snort[1916]: WARNING: /var/run/snort is invalid,
trying /var/run...
Apr  9 14:42:45 server snort[1916]: Previous Error, errno=13,
(Permission denied)
Apr  9 14:42:45 server snort[1916]: PID path stat checked out ok, PID
path set to /var/run/

Second, snort is not able to write to its own log file. It needs the
write privilege for this (append no longer cuts it) as found through the
AVC denial.

Error logs from Snort:
Apr  9 14:42:45 server snort[1916]: FATAL ERROR: spo_unified2.c(320)
Could not open /var/log/snort//merged.log: Permission denied

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

1 files changed, 2 insertions, 1 deletions

diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 44fcaf95..45689773 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -23,6 +23,7 @@ files_tmp_file(snort_tmp_t)
 
 type snort_var_run_t;
 files_pid_file(snort_var_run_t)
+init_daemon_run_dir(snort_var_run_t, "snort")
 
 ########################################
 #
@@ -43,9 +44,9 @@ allow snort_t snort_etc_t:file read_file_perms;
 allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
-append_files_pattern(snort_t, snort_log_t, snort_log_t)
 create_files_pattern(snort_t, snort_log_t, snort_log_t)
 setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
+write_files_pattern(snort_t, snort_log_t, snort_log_t)
 logging_log_filetrans(snort_t, snort_log_t, { file dir })
 
 manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)