Hey all,
I'm trying to run Snort 2.1.3 under Fedora Core 2, with SELinux. When I restart Snort, it dies after logging the message "pcap_loop: recvfrom: Socket operation on non-socket." When I put SELinux in permissive mode, Snort works fine. So, I know the problem is with my SELinux policy configuration. Thing is, SELinux doesn't log any AVC messages explaining Snort's death.
As an experiment, I deleted the dontaudit rules from policy.conf, and built and loaded the modified policy. The resulting AVC messages identified about a half dozen operations that were failing. One of them seems to be responsible for killing Snort. Adding the rule:
allow snort_t sysadm_devpts_t:chr_file { read write };enables Snort to restart just fine.
Some questions arise:
1. Is the technique of deleting dontaudit rules valid, or is there a better way?
2. Is there possibly a better policy tweak that would permit Snort to restart okay? I'm not cheerful about giving Snort access to the console.
3. What's with Snort trying to access /dev/pts? Seems to me that a daemonized program shouldn't do that. So, there's obviously something I don't know.
Thanks,
