From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 95414138A1F for ; Sun, 27 Apr 2014 15:34:14 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 023FDE09FA; Sun, 27 Apr 2014 15:34:13 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6D5A8E09A9 for ; Sun, 27 Apr 2014 15:34:12 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9625233FE86 for ; Sun, 27 Apr 2014 15:34:11 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 43BD41818D for ; Sun, 27 Apr 2014 15:34:09 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1398612502.cd2913c0447477ade591f93034f1c01c15136117.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/snort.fc policy/modules/contrib/snort.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: cd2913c0447477ade591f93034f1c01c15136117 X-VCS-Branch: master Date: Sun, 27 Apr 2014 15:34:09 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 0955353f-233c-417e-b7f3-4a2547e2f382 X-Archives-Hash: 98a70870ca927731682732bad4a14afd commit: cd2913c0447477ade591f93034f1c01c15136117 Author: Sven Vermeulen siphos be> AuthorDate: Mon Apr 21 15:08:22 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Apr 27 15:28:22 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cd2913c0 Snort policy updates When snort starts up, its init script creates the /var/run/snort directory. However, the policy did not have a file transition for this, which results in the /var/run/snort directory to be initrc_var_run_t. By supporting a file transition to snort_var_run_t the PID file can be hosted inside its own directory as intended. Error logs from Snort: Apr 9 14:42:45 server snort[1916]: WARNING: /var/run/snort is invalid, trying /var/run... Apr 9 14:42:45 server snort[1916]: Previous Error, errno=13, (Permission denied) Apr 9 14:42:45 server snort[1916]: PID path stat checked out ok, PID path set to /var/run/ Second, snort is not able to write to its own log file. It needs the write privilege for this (append no longer cuts it) as found through the AVC denial. Error logs from Snort: Apr 9 14:42:45 server snort[1916]: FATAL ERROR: spo_unified2.c(320) Could not open /var/log/snort//merged.log: Permission denied Signed-off-by: Sven Vermeulen siphos.be> --- policy/modules/contrib/snort.fc | 3 --- policy/modules/contrib/snort.te | 3 ++- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc index ad73ece..2b1ea6b 100644 --- a/policy/modules/contrib/snort.fc +++ b/policy/modules/contrib/snort.fc @@ -10,7 +10,4 @@ /var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) /var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) - -ifdef(`distro_gentoo',` /var/run/snort(/.*)? gen_context(system_u:object_r:snort_var_run_t,s0) -') diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te index 44fcaf9..4568977 100644 --- a/policy/modules/contrib/snort.te +++ b/policy/modules/contrib/snort.te @@ -23,6 +23,7 @@ files_tmp_file(snort_tmp_t) type snort_var_run_t; files_pid_file(snort_var_run_t) +init_daemon_run_dir(snort_var_run_t, "snort") ######################################## # @@ -43,9 +44,9 @@ allow snort_t snort_etc_t:file read_file_perms; allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(snort_t, snort_log_t, snort_log_t) -append_files_pattern(snort_t, snort_log_t, snort_log_t) create_files_pattern(snort_t, snort_log_t, snort_log_t) setattr_files_pattern(snort_t, snort_log_t, snort_log_t) +write_files_pattern(snort_t, snort_log_t, snort_log_t) logging_log_filetrans(snort_t, snort_log_t, { file dir }) manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)