From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id F2A85138A1F for ; Sat, 12 Apr 2014 13:38:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 46852E0ADB; Sat, 12 Apr 2014 13:38:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D5BE3E0ADA for ; Sat, 12 Apr 2014 13:38:41 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0DF7D3401C0 for ; Sat, 12 Apr 2014 13:38:41 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id B75CD188CA for ; Sat, 12 Apr 2014 13:38:39 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1397309826.eb72a1a6cf9947aebd0d5df523c180ef0cfa6446.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/snort.fc policy/modules/contrib/snort.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: eb72a1a6cf9947aebd0d5df523c180ef0cfa6446 X-VCS-Branch: master Date: Sat, 12 Apr 2014 13:38:39 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 7719a738-f18a-4b64-9a6e-456ecb8da8f4 X-Archives-Hash: 46599ca6f1fc0738fac6d4560dc4d9ee commit: eb72a1a6cf9947aebd0d5df523c180ef0cfa6446 Author: Sven Vermeulen siphos be> AuthorDate: Sat Apr 12 13:37:06 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sat Apr 12 13:37:06 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eb72a1a6 Snort policy updates When snort starts up, its init script creates the /var/run/snort directory. However, the policy did not have a file transition for this, which results in the /var/run/snort directory to be initrc_var_run_t. By supporting a file transition to snort_var_run_t the PID file can be hosted inside its own directory as intended. Error logs from Snort: Apr 9 14:42:45 server snort[1916]: WARNING: /var/run/snort is invalid, trying /var/run... Apr 9 14:42:45 server snort[1916]: Previous Error, errno=13, (Permission denied) Apr 9 14:42:45 server snort[1916]: PID path stat checked out ok, PID path set to /var/run/ Second, snort is not able to write to its own log file. It needs the write privilege for this (append no longer cuts it) as found through the AVC denial. Error logs from Snort: Apr 9 14:42:45 server snort[1916]: FATAL ERROR: spo_unified2.c(320) Could not open /var/log/snort//merged.log: Permission denied Reported-by: sgnut --- policy/modules/contrib/snort.fc | 4 ++++ policy/modules/contrib/snort.te | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc index 591b9a1..ad73ece 100644 --- a/policy/modules/contrib/snort.fc +++ b/policy/modules/contrib/snort.fc @@ -10,3 +10,7 @@ /var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) /var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) + +ifdef(`distro_gentoo',` +/var/run/snort(/.*)? gen_context(system_u:object_r:snort_var_run_t,s0) +') diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te index 1af72df..44fcaf9 100644 --- a/policy/modules/contrib/snort.te +++ b/policy/modules/contrib/snort.te @@ -114,3 +114,15 @@ optional_policy(` optional_policy(` udev_read_db(snort_t) ') + +ifdef(`distro_gentoo',` + ########################################## + # + # Local policy + # + # Reported through IRC - needs write, append is not enough + allow snort_t snort_log_t:file write_file_perms; + + # Init creates /var/run/snort if it does not exist yet + init_daemon_run_dir(snort_var_run_t, "snort") +')