]>
Commit | Line | Data |
---|---|---|
e5516014 CP |
1 | |
2 | policy_module(snort,1.0.0) | |
3 | ||
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type snort_t; | |
10 | type snort_exec_t; | |
11 | init_daemon_domain(snort_t,snort_exec_t) | |
12 | ||
13 | type snort_etc_t; | |
14 | files_type(snort_etc_t) | |
15 | ||
16 | type snort_log_t; | |
17 | logging_log_file(snort_log_t) | |
18 | ||
19 | type snort_tmp_t; | |
20 | files_tmp_file(snort_tmp_t) | |
21 | ||
22 | type snort_var_run_t; | |
23 | files_pid_file(snort_var_run_t) | |
24 | ||
25 | ######################################## | |
26 | # | |
27 | # Local policy | |
28 | # | |
29 | ||
30 | allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; | |
31 | dontaudit snort_t self:capability sys_tty_config; | |
32 | allow snort_t self:process signal_perms; | |
33 | allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; | |
34 | allow snort_t self:tcp_socket create_stream_socket_perms; | |
35 | allow snort_t self:udp_socket create_socket_perms; | |
36 | allow snort_t self:packet_socket create_socket_perms; | |
37 | ||
38 | allow snort_t snort_etc_t:dir r_dir_perms; | |
39 | allow snort_t snort_etc_t:file r_file_perms; | |
40 | allow snort_t snort_etc_t:lnk_file { getattr read }; | |
41 | ||
42 | allow snort_t snort_log_t:file create_file_perms; | |
43 | allow snort_t snort_log_t:dir { create rw_dir_perms }; | |
44 | logging_log_filetrans(snort_t,snort_log_t,{ file dir }) | |
45 | ||
46 | allow snort_t snort_tmp_t:dir create_dir_perms; | |
47 | allow snort_t snort_tmp_t:file create_file_perms; | |
48 | files_tmp_filetrans(snort_t, snort_tmp_t, { file dir }) | |
49 | ||
50 | allow snort_t snort_var_run_t:file create_file_perms; | |
51 | allow snort_t snort_var_run_t:dir rw_dir_perms; | |
52 | files_pid_filetrans(snort_t,snort_var_run_t,file) | |
53 | ||
54 | kernel_read_kernel_sysctls(snort_t) | |
55 | kernel_list_proc(snort_t) | |
56 | kernel_read_proc_symlinks(snort_t) | |
57 | kernel_dontaudit_read_system_state(snort_t) | |
58 | ||
59 | corenet_non_ipsec_sendrecv(snort_t) | |
60 | corenet_tcp_sendrecv_generic_if(snort_t) | |
61 | corenet_udp_sendrecv_generic_if(snort_t) | |
62 | corenet_raw_sendrecv_generic_if(snort_t) | |
63 | corenet_tcp_sendrecv_all_nodes(snort_t) | |
64 | corenet_udp_sendrecv_all_nodes(snort_t) | |
65 | corenet_raw_sendrecv_all_nodes(snort_t) | |
66 | corenet_tcp_sendrecv_all_ports(snort_t) | |
67 | corenet_udp_sendrecv_all_ports(snort_t) | |
68 | corenet_tcp_bind_all_nodes(snort_t) | |
69 | corenet_udp_bind_all_nodes(snort_t) | |
70 | ||
71 | dev_read_sysfs(snort_t) | |
72 | ||
73 | domain_use_interactive_fds(snort_t) | |
74 | ||
75 | files_read_etc_files(snort_t) | |
76 | files_dontaudit_read_etc_runtime_files(snort_t) | |
77 | ||
78 | fs_getattr_all_fs(snort_t) | |
79 | fs_search_auto_mountpoints(snort_t) | |
80 | ||
81 | term_dontaudit_use_console(snort_t) | |
82 | ||
83 | init_use_fds(snort_t) | |
84 | init_use_script_ptys(snort_t) | |
85 | ||
86 | libs_use_ld_so(snort_t) | |
87 | libs_use_shared_libs(snort_t) | |
88 | ||
89 | logging_send_syslog_msg(snort_t) | |
90 | ||
91 | miscfiles_read_localization(snort_t) | |
92 | ||
93 | sysnet_read_config(snort_t) | |
94 | ||
95 | userdom_dontaudit_use_unpriv_user_fds(snort_t) | |
96 | userdom_dontaudit_search_sysadm_home_dirs(snort_t) | |
97 | ||
98 | ifdef(`targeted_policy',` | |
99 | term_dontaudit_use_unallocated_ttys(snort_t) | |
100 | term_dontaudit_use_generic_ptys(snort_t) | |
101 | files_dontaudit_read_root_files(snort_t) | |
102 | ') | |
103 | ||
104 | optional_policy(` | |
105 | seutil_sigchld_newrole(snort_t) | |
106 | ') | |
107 | ||
108 | optional_policy(` | |
109 | udev_read_db(snort_t) | |
110 | ') |