From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 24 Apr 2014 12:57:01 -0400 Subject: [refpolicy] [PATCH 1/2] Snort policy updates In-Reply-To: <1398092903-6994-2-git-send-email-sven.vermeulen@siphos.be> References: <1398092903-6994-1-git-send-email-sven.vermeulen@siphos.be> <1398092903-6994-2-git-send-email-sven.vermeulen@siphos.be> Message-ID: <5359425D.4080202@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/21/2014 11:08 AM, Sven Vermeulen wrote: > When snort starts up, its init script creates the /var/run/snort directory. > However, the policy did not have a file transition for this, which results > in the /var/run/snort directory to be initrc_var_run_t. > > By supporting a file transition to snort_var_run_t the PID file can be > hosted inside its own directory as intended. Merged. > Signed-off-by: Sven Vermeulen > --- > snort.fc | 1 + > snort.te | 3 ++- > 2 files changed, 3 insertions(+), 1 deletion(-) > > diff --git a/snort.fc b/snort.fc > index 591b9a1..2b1ea6b 100644 > --- a/snort.fc > +++ b/snort.fc > @@ -10,3 +10,4 @@ > /var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) > > /var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) > +/var/run/snort(/.*)? gen_context(system_u:object_r:snort_var_run_t,s0) > diff --git a/snort.te b/snort.te > index 1af72df..2d78724 100644 > --- a/snort.te > +++ b/snort.te > @@ -23,6 +23,7 @@ files_tmp_file(snort_tmp_t) > > type snort_var_run_t; > files_pid_file(snort_var_run_t) > +init_daemon_run_dir(snort_var_run_t, "snort") > > ######################################## > # > @@ -43,9 +44,9 @@ allow snort_t snort_etc_t:file read_file_perms; > allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; > > manage_dirs_pattern(snort_t, snort_log_t, snort_log_t) > -append_files_pattern(snort_t, snort_log_t, snort_log_t) > create_files_pattern(snort_t, snort_log_t, snort_log_t) > setattr_files_pattern(snort_t, snort_log_t, snort_log_t) > +write_files_pattern(snort_t, snort_log_t, snort_log_t) > logging_log_filetrans(snort_t, snort_log_t, { file dir }) > > manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com