[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / snort.te


policy_module(snort,1.0.0)

########################################
#
# Declarations
#

type snort_t;
type snort_exec_t;
init_daemon_domain(snort_t,snort_exec_t)

type snort_etc_t;
files_type(snort_etc_t)

type snort_log_t;
logging_log_file(snort_log_t)

type snort_tmp_t;
files_tmp_file(snort_tmp_t)

type snort_var_run_t;
files_pid_file(snort_var_run_t)

########################################
#
# Local policy
#

allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;

allow snort_t snort_etc_t:dir r_dir_perms;
allow snort_t snort_etc_t:file r_file_perms;
allow snort_t snort_etc_t:lnk_file { getattr read };

allow snort_t snort_log_t:file create_file_perms;
allow snort_t snort_log_t:dir { create rw_dir_perms };
logging_log_filetrans(snort_t,snort_log_t,{ file dir })

allow snort_t snort_tmp_t:dir create_dir_perms;
allow snort_t snort_tmp_t:file create_file_perms;
files_tmp_filetrans(snort_t, snort_tmp_t, { file dir })

allow snort_t snort_var_run_t:file create_file_perms;
allow snort_t snort_var_run_t:dir rw_dir_perms;
files_pid_filetrans(snort_t,snort_var_run_t,file)

kernel_read_kernel_sysctls(snort_t)
kernel_list_proc(snort_t)
kernel_read_proc_symlinks(snort_t)
kernel_dontaudit_read_system_state(snort_t)

corenet_non_ipsec_sendrecv(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
corenet_raw_sendrecv_generic_if(snort_t)
corenet_tcp_sendrecv_all_nodes(snort_t)
corenet_udp_sendrecv_all_nodes(snort_t)
corenet_raw_sendrecv_all_nodes(snort_t)
corenet_tcp_sendrecv_all_ports(snort_t)
corenet_udp_sendrecv_all_ports(snort_t)
corenet_tcp_bind_all_nodes(snort_t)
corenet_udp_bind_all_nodes(snort_t)

dev_read_sysfs(snort_t)

domain_use_interactive_fds(snort_t)

files_read_etc_files(snort_t)
files_dontaudit_read_etc_runtime_files(snort_t)

fs_getattr_all_fs(snort_t)
fs_search_auto_mountpoints(snort_t)

term_dontaudit_use_console(snort_t)

init_use_fds(snort_t)
init_use_script_ptys(snort_t)

libs_use_ld_so(snort_t)
libs_use_shared_libs(snort_t)

logging_send_syslog_msg(snort_t)

miscfiles_read_localization(snort_t)

sysnet_read_config(snort_t)

userdom_dontaudit_use_unpriv_user_fds(snort_t)
userdom_dontaudit_search_sysadm_home_dirs(snort_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(snort_t)
	term_dontaudit_use_generic_ptys(snort_t)
	files_dontaudit_read_root_files(snort_t)
')

optional_policy(`
	seutil_sigchld_newrole(snort_t)
')

optional_policy(`
	udev_read_db(snort_t)
')
Commit	Line	Data
e5516014 CP	1
	2	policy_module(snort,1.0.0)
	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type snort_t;
	10	type snort_exec_t;
	11	init_daemon_domain(snort_t,snort_exec_t)
	12
	13	type snort_etc_t;
	14	files_type(snort_etc_t)
	15
	16	type snort_log_t;
	17	logging_log_file(snort_log_t)
	18
	19	type snort_tmp_t;
	20	files_tmp_file(snort_tmp_t)
	21
	22	type snort_var_run_t;
	23	files_pid_file(snort_var_run_t)
	24
	25	########################################
	26	#
	27	# Local policy
	28	#
	29
	30	allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
	31	dontaudit snort_t self:capability sys_tty_config;
	32	allow snort_t self:process signal_perms;
	33	allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
	34	allow snort_t self:tcp_socket create_stream_socket_perms;
	35	allow snort_t self:udp_socket create_socket_perms;
	36	allow snort_t self:packet_socket create_socket_perms;
	37
	38	allow snort_t snort_etc_t:dir r_dir_perms;
	39	allow snort_t snort_etc_t:file r_file_perms;
	40	allow snort_t snort_etc_t:lnk_file { getattr read };
	41
	42	allow snort_t snort_log_t:file create_file_perms;
	43	allow snort_t snort_log_t:dir { create rw_dir_perms };
	44	logging_log_filetrans(snort_t,snort_log_t,{ file dir })
	45
	46	allow snort_t snort_tmp_t:dir create_dir_perms;
	47	allow snort_t snort_tmp_t:file create_file_perms;
	48	files_tmp_filetrans(snort_t, snort_tmp_t, { file dir })
	49
	50	allow snort_t snort_var_run_t:file create_file_perms;
	51	allow snort_t snort_var_run_t:dir rw_dir_perms;
	52	files_pid_filetrans(snort_t,snort_var_run_t,file)
	53
	54	kernel_read_kernel_sysctls(snort_t)
	55	kernel_list_proc(snort_t)
	56	kernel_read_proc_symlinks(snort_t)
	57	kernel_dontaudit_read_system_state(snort_t)
	58
	59	corenet_non_ipsec_sendrecv(snort_t)
	60	corenet_tcp_sendrecv_generic_if(snort_t)
	61	corenet_udp_sendrecv_generic_if(snort_t)
	62	corenet_raw_sendrecv_generic_if(snort_t)
	63	corenet_tcp_sendrecv_all_nodes(snort_t)
	64	corenet_udp_sendrecv_all_nodes(snort_t)
65	corenet_raw_sendrecv_all_nodes(snort_t)
66	corenet_tcp_sendrecv_all_ports(snort_t)
67	corenet_udp_sendrecv_all_ports(snort_t)
68	corenet_tcp_bind_all_nodes(snort_t)
69	corenet_udp_bind_all_nodes(snort_t)
70
71	dev_read_sysfs(snort_t)
72
73	domain_use_interactive_fds(snort_t)
74
75	files_read_etc_files(snort_t)
76	files_dontaudit_read_etc_runtime_files(snort_t)
77
78	fs_getattr_all_fs(snort_t)
79	fs_search_auto_mountpoints(snort_t)
80
81	term_dontaudit_use_console(snort_t)
82
83	init_use_fds(snort_t)
84	init_use_script_ptys(snort_t)
85
86	libs_use_ld_so(snort_t)
87	libs_use_shared_libs(snort_t)
88
89	logging_send_syslog_msg(snort_t)
90
91	miscfiles_read_localization(snort_t)
92
93	sysnet_read_config(snort_t)
94
95	userdom_dontaudit_use_unpriv_user_fds(snort_t)
96	userdom_dontaudit_search_sysadm_home_dirs(snort_t)
97
98	ifdef(`targeted_policy',`
99	term_dontaudit_use_unallocated_ttys(snort_t)
100	term_dontaudit_use_generic_ptys(snort_t)
101	files_dontaudit_read_root_files(snort_t)
102	')
103
104	optional_policy(`
105	seutil_sigchld_newrole(snort_t)
106	')
107
108	optional_policy(`
109	udev_read_db(snort_t)
110	')