Changes to the snort policy module

Ported from Fedora with changes Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
author: Dominick Grift <dominick.grift@gmail.com> 2012-10-28 13:51:27 +0100
committer: Sven Vermeulen <sven.vermeulen@siphos.be> 2012-10-28 18:58:59 +0100
commit: 02f35abc5e36b2965a9ef94e5ebfc917c16b2510 (patch)
tree: 014d2f387b9a5607fc009e0d274ea81f244ef72b /policy
parent: Tab clean up in the snort file context file (diff)
download: hardened-refpolicy-02f35abc5e36b2965a9ef94e5ebfc917c16b2510.tar.gz
hardened-refpolicy-02f35abc5e36b2965a9ef94e5ebfc917c16b2510.tar.bz2
hardened-refpolicy-02f35abc5e36b2965a9ef94e5ebfc917c16b2510.zip
3 files changed, 21 insertions, 18 deletions
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
index cbb7498bb..24a8e1b80 100644
--- a/policy/modules/contrib/snort.fc
+++ b/policy/modules/contrib/snort.fc
@@ -1,7 +1,10 @@
 /etc/rc\.d/init\.d/snortd	--	gen_context(system_u:object_r:snort_initrc_exec_t,s0)
+
 /etc/snort(/.*)?	gen_context(system_u:object_r:snort_etc_t,s0)
 
-/usr/s?bin/snort	--	gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/bin/snort	--	gen_context(system_u:object_r:snort_exec_t,s0)
+
+/usr/sbin/snort	--	gen_context(system_u:object_r:snort_exec_t,s0)
 /usr/sbin/snort-plain	--	gen_context(system_u:object_r:snort_exec_t,s0)
 
 /var/log/snort(/.*)?	gen_context(system_u:object_r:snort_log_t,s0)
diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if
index c117e8b55..7d86b3485 100644
--- a/policy/modules/contrib/snort.if
+++ b/policy/modules/contrib/snort.if
@@ -1,4 +1,4 @@
-## <summary>Snort network intrusion detection system</summary>
+## <summary>Snort network intrusion detection system.</summary>
 
 ########################################
 ## <summary>
@@ -15,13 +15,14 @@ interface(`snort_domtrans',`
 		type snort_t, snort_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, snort_exec_t, snort_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
-##	an snort environment
+##	All of the rules required to
+##	administrate an snort environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -30,7 +31,7 @@ interface(`snort_domtrans',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	The role to be allowed to manage the snort domain.
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 179bc1b0b..ccd28bbc4 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.10.0)
+policy_module(snort, 1.10.1)
 
 ########################################
 #
@@ -32,20 +32,20 @@ files_pid_file(snort_var_run_t)
 allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
 dontaudit snort_t self:capability sys_tty_config;
 allow snort_t self:process signal_perms;
-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-allow snort_t self:tcp_socket create_stream_socket_perms;
-allow snort_t self:udp_socket create_socket_perms;
+allow snort_t self:netlink_socket create_socket_perms;
+allow snort_t self:tcp_socket { accept listen };
 allow snort_t self:packet_socket create_socket_perms;
 allow snort_t self:socket create_socket_perms;
-# Snort IPS node. unverified.
-allow snort_t self:netlink_firewall_socket { bind create getattr };
+allow snort_t self:netlink_firewall_socket create_socket_perms;
 
 allow snort_t snort_etc_t:dir list_dir_perms;
 allow snort_t snort_etc_t:file read_file_perms;
-allow snort_t snort_etc_t:lnk_file { getattr read };
+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
 
-manage_files_pattern(snort_t, snort_log_t, snort_log_t)
-create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
+manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
+append_files_pattern(snort_t, snort_log_t, snort_log_t)
+create_files_pattern(snort_t, snort_log_t, snort_log_t)
+setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
 logging_log_filetrans(snort_t, snort_log_t, { file dir })
 
 manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
@@ -73,14 +73,15 @@ corenet_udp_sendrecv_generic_node(snort_t)
 corenet_raw_sendrecv_generic_node(snort_t)
 corenet_tcp_sendrecv_all_ports(snort_t)
 corenet_udp_sendrecv_all_ports(snort_t)
+
+corenet_sendrecv_prelude_client_packets(snort_t)
 corenet_tcp_connect_prelude_port(snort_t)
+corenet_tcp_sendrecv_prelude_port(snort_t)
 
 dev_read_sysfs(snort_t)
 dev_read_rand(snort_t)
 dev_read_urand(snort_t)
 dev_read_usbmon_dev(snort_t)
-# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon
-# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect?
 dev_rw_generic_usb_dev(snort_t)
 
 domain_use_interactive_fds(snort_t)
@@ -97,8 +98,6 @@ logging_send_syslog_msg(snort_t)
 
 miscfiles_read_localization(snort_t)
 
-sysnet_read_config(snort_t)
-# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
 sysnet_dns_name_resolve(snort_t)
 
 userdom_dontaudit_use_unpriv_user_fds(snort_t)
author	Dominick Grift <dominick.grift@gmail.com>	2012-10-28 13:51:27 +0100
committer	Sven Vermeulen <sven.vermeulen@siphos.be>	2012-10-28 18:58:59 +0100
commit	02f35abc5e36b2965a9ef94e5ebfc917c16b2510 (patch)
tree	014d2f387b9a5607fc009e0d274ea81f244ef72b /policy
parent	Tab clean up in the snort file context file (diff)
download	hardened-refpolicy-02f35abc5e36b2965a9ef94e5ebfc917c16b2510.tar.gz hardened-refpolicy-02f35abc5e36b2965a9ef94e5ebfc917c16b2510.tar.bz2 hardened-refpolicy-02f35abc5e36b2965a9ef94e5ebfc917c16b2510.zip