#DESC Snort - Network sniffer
#
# Author: Shaun Savage <savages@pcez.com> 
# Modified by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: snort-common
#

daemon_domain(snort)

logdir_domain(snort)
allow snort_t snort_log_t:dir create;
can_network_server(snort_t)
type snort_etc_t, file_type, sysadmfile;

# Create temporary files.
tmp_domain(snort)

# use iptable netlink
allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow snort_t self:packet_socket create_socket_perms;
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };

r_dir_file(snort_t, snort_etc_t)
allow snort_t etc_t:file { getattr read };
allow snort_t etc_t:lnk_file read;

allow snort_t self:unix_dgram_socket create_socket_perms;
allow snort_t self:unix_stream_socket create_socket_perms;

# for start script
allow initrc_t snort_etc_t:file read;

dontaudit snort_t { etc_runtime_t proc_t }:file read;