Snort and sysadm_devpts
Business DSL User
biz7rv0y at verizon.net
Sun Aug 15 20:20:06 UTC 2004
Hey all,
I'm trying to run Snort 2.1.3 under Fedora Core 2, with SELinux. When I
restart Snort, it dies after logging the message "pcap_loop: recvfrom:
Socket operation on non-socket." When I put SELinux in permissive mode,
Snort works fine. So, I know the problem is with my SELinux policy
configuration. Thing is, SELinux doesn't log any AVC messages explaining
Snort's death.
As an experiment, I deleted the dontaudit rules from policy.conf, and built
and loaded the modified policy. The resulting AVC messages identified about
a half dozen operations that were failing. One of them seems to be
responsible for killing Snort. Adding the rule:
allow snort_t sysadm_devpts_t:chr_file { read write };
enables Snort to restart just fine.
Some questions arise:
1. Is the technique of deleting dontaudit rules valid, or is there a better
way?
2. Is there possibly a better policy tweak that would permit Snort to
restart okay? I'm not cheerful about giving Snort access to the console.
3. What's with Snort trying to access /dev/pts? Seems to me that a
daemonized program shouldn't do that. So, there's obviously something I
don't know.
Thanks,
More information about the fedora-selinux-list
mailing list