[Snort-users] can't run snort via systemd

Ryan Bohn ryan.bohn at cord.bc.ca
Mon Dec 10 23:02:21 EST 2018


I figured it out by seeing the /var/log/audit/audit.log fill up with deny messages from selinux when snort started under systemd or sysvinit.

This is for RHEL 7.6 / CentOS 7.6.

Then I did the following to fix:


1.       yum install setroubleshoot setools (need these installed to run below commands)

2.       sealert -a /var/log/audit/audit.log (analyzes the audit log and reports on what tried to do what, why it failed, and suggests how to fix, which gave me the two following commands in whole)

3.       ausearch -c 'snort' --raw | audit2allow -M my-snort (create an selinux allow policy file based on the audit failures)

4.       semodule -i my-snort.pp (install the selinux policy for snort)

Started my snort systemd services after this without any issue.

This is what the sealert command comes back with, showing the snort was denied map access on the packet_socket.

found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/snort-plain from map access on the packet_socket packet_socket.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snort-plain should be allowed map access on the packet_socket packet_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snort' --raw | audit2allow -M my-snort
# semodule -i my-snort.pp


[ryanbohn-portrait]

Ryan Bohn
Network & Systems Administrator
t: 250-469-6273<tel:t:%20250-469-6273> | f: 250-763-0606<fax:> | www.regionaldistrict.com<http://www.regionaldistrict.com/>

[facebook-small]<http://www.facebook.com/regionaldistrict> [Instagram-small] <http://www.instagram.com/rdco.cord/>  [youtube-small] <http://www.youtube.com/user/regionaldistrict>



From: John Byrne <jbyrnescu at gmail.com>
Sent: December 10, 2018 4:22 PM
To: Ryan Bohn <ryan.bohn at cord.bc.ca>
Cc: snort-users at lists.snort.org
Subject: Re: [Snort-users] can't run snort via systemd

What did you do to figure that one out?  An strace or something?  (You don’t have to give away all of your admin secrets… but I am curious so I have to ask)

Curiously,
John Byrne


On Dec 10, 2018, at 3:27 PM, Ryan Bohn via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>> wrote:

I’ve tracked it down to this:

When I set selinux to permissive, all works as it should. It seems RHEL 7.6 made a change to selinux and mmap calls, as noted in this 7.6 release note.

selinux-policy now checks file permissions when mmap() is used

This release introduces a new permission check on the mmap() system call. The purpose of a separate map permission check on mmap() is to permit policy to prohibit memory mapping of specific files for which you need to ensure that every access is revalidated. This is useful for scenarios where you expect the files to be relabeled at run-time to reflect state changes, for example, in a cross-domain solution or an assured pipeline without data copying.
This functionality is enabled by default. Also, a new SELinux boolean, domain_can_mmap_files, has been added. If domain_can_mmap_files is enabled, every domain can use mmap() in every file, a character device or a block device. If domain_can_mmap_files is disabled, the list of domains that can use mmap() is limited. (BZ#1460322<tel:1460322>)

It seems anyone who runs snort on RHEL 7.6/CentOS 7.6 will run into this issue. Now to write a rule/whatever for selinux to allow snort while in enforcing mode… never had to do this before…

From: Snort-users <snort-users-bounces at lists.snort.org<mailto:snort-users-bounces at lists.snort.org>> On Behalf Of Ryan Bohn via Snort-users
Sent: December 10, 2018 9:51 AM
To: snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>
Subject: Re: [Snort-users] can't run snort via systemd

Am I the only one?

Any one else ever get the “FATAL ERROR: Can't start DAQ (-1) - can't mmap rx ring: Permission denied!” error or similar?

From: Snort-users <snort-users-bounces at lists.snort.org<mailto:snort-users-bounces at lists.snort.org>> On Behalf Of Ryan Bohn via Snort-users
Sent: December 7, 2018 3:25 PM
To: snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>
Subject: [Snort-users] can't run snort via systemd

Hey all,

Been running snort 2.9.12 with daq 2.0.6 for months with no issues on Centos 7.5. It has been using the default snortd bash script under /etc/init.d, which systemd was legacy redirecting to start it via its method. Upgraded to Centos 7.6 and now it won’t start at all under systemd. Other then upgrading the OS, I haven’t changed anything.

Dec  7 15:15:46 klo-sensor snort[17635]: Running in IDS mode
Dec  7 15:15:46 klo-sensor snort[17635]: ode
Dec  7 15:15:46 klo-sensor snort[17635]:        --== Initializing Snort ==--
Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Output Plugins!
Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Preprocessors!
Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Plug-ins!
Dec  7 15:15:46 klo-sensor snort[17635]: Parsing Rules file "/etc/snort/snort.conf"
Dec  7 15:15:47 klo-sensor snort[17635]: Tagged Packet Limit: 256
Dec  7 15:15:47 klo-sensor snort[17635]: Log directory = /var/log/snort/ens161
<SNIP>
Dec  7 15:15:47 klo-sensor snort[17635]: Rule application order: pass->drop->sdrop->reject->alert->log
Dec  7 15:15:47 klo-sensor snort[17635]: Verifying Preprocessor Configurations!
Dec  7 15:15:47 klo-sensor snort[17635]: tions!
Dec  7 15:15:47 klo-sensor snort[17635]: [ Port Based Pattern Matching Memory ]
Dec  7 15:15:47 klo-sensor snort[17635]: pcap DAQ configured to passive.
Dec  7 15:15:47 klo-sensor snort[17635]: Acquiring network traffic from "ens161".
Dec  7 15:15:47 klo-sensor snort[17635]: Initializing daemon mode
Dec  7 15:15:47 klo-sensor snort[17635]: Daemon initialized, signaled parent pid: 1
Dec  7 15:15:47 klo-sensor snort[17635]: Reload thread starting...
Dec  7 15:15:47 klo-sensor snort[17635]: Reload thread started, thread 0x7f8927358700 (17641)
Dec  7 15:15:47 klo-sensor snort[17635]: FATAL ERROR: Can't start DAQ (-1) - can't mmap rx ring: Permission denied!

When I run the snort binary directly with all the options, or move the snortd bash script out of /etc/init.d, it works, but if snort is started by systemd in anyway (legacy redirect on init.d or even if I write my own snort.service unit file for systemd) it always fails with that error. Obviously, in some way systemd is doing something different and it doesn’t have the permission to access the daq/pcap stuff.

Anyone seen this?

Thanks, Ryan.
_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

                To unsubscribe, send an email to:
                snort-users-leave at lists.snort.org<mailto:snort-users-leave at lists.snort.org>

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181211/c4841b6a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 8143 bytes
Desc: image001.jpg
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181211/c4841b6a/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1374 bytes
Desc: image002.png
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181211/c4841b6a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1771 bytes
Desc: image003.png
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181211/c4841b6a/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1414 bytes
Desc: image004.png
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181211/c4841b6a/attachment-0002.png>


More information about the Snort-users mailing list