]>
Commit | Line | Data |
---|---|---|
4483ee84 | 1 | |
29af4c13 | 2 | policy_module(arpwatch, 1.9.0) |
4483ee84 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type arpwatch_t; | |
10 | type arpwatch_exec_t; | |
0bfccda4 | 11 | init_daemon_domain(arpwatch_t, arpwatch_exec_t) |
4483ee84 CP |
12 | |
13 | type arpwatch_data_t; | |
14 | files_type(arpwatch_data_t) | |
15 | ||
5843d066 CP |
16 | type arpwatch_initrc_exec_t; |
17 | init_script_file(arpwatch_initrc_exec_t) | |
18 | ||
4483ee84 CP |
19 | type arpwatch_tmp_t; |
20 | files_tmp_file(arpwatch_tmp_t) | |
21 | ||
22 | type arpwatch_var_run_t; | |
23 | files_pid_file(arpwatch_var_run_t) | |
24 | ||
25 | ######################################## | |
26 | # | |
27 | # Local policy | |
28 | # | |
29 | allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; | |
30 | dontaudit arpwatch_t self:capability sys_tty_config; | |
31 | allow arpwatch_t self:process signal_perms; | |
32 | allow arpwatch_t self:unix_dgram_socket create_socket_perms; | |
33 | allow arpwatch_t self:unix_stream_socket create_stream_socket_perms; | |
4483ee84 CP |
34 | allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; |
35 | allow arpwatch_t self:udp_socket create_socket_perms; | |
36 | allow arpwatch_t self:packet_socket create_socket_perms; | |
b0076a14 | 37 | allow arpwatch_t self:socket create_socket_perms; |
4483ee84 | 38 | |
0bfccda4 CP |
39 | manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) |
40 | manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) | |
41 | manage_lnk_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) | |
4483ee84 | 42 | |
0bfccda4 CP |
43 | manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) |
44 | manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) | |
103fe280 | 45 | files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) |
4483ee84 | 46 | |
0bfccda4 CP |
47 | manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) |
48 | files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) | |
4483ee84 | 49 | |
b0076a14 | 50 | kernel_read_network_state(arpwatch_t) |
445522dc | 51 | kernel_read_kernel_sysctls(arpwatch_t) |
4483ee84 CP |
52 | kernel_list_proc(arpwatch_t) |
53 | kernel_read_proc_symlinks(arpwatch_t) | |
54 | ||
19006686 CP |
55 | corenet_all_recvfrom_unlabeled(arpwatch_t) |
56 | corenet_all_recvfrom_netlabel(arpwatch_t) | |
668b3093 CP |
57 | corenet_tcp_sendrecv_generic_if(arpwatch_t) |
58 | corenet_udp_sendrecv_generic_if(arpwatch_t) | |
59 | corenet_raw_sendrecv_generic_if(arpwatch_t) | |
c1262146 CP |
60 | corenet_tcp_sendrecv_generic_node(arpwatch_t) |
61 | corenet_udp_sendrecv_generic_node(arpwatch_t) | |
62 | corenet_raw_sendrecv_generic_node(arpwatch_t) | |
4483ee84 CP |
63 | corenet_tcp_sendrecv_all_ports(arpwatch_t) |
64 | corenet_udp_sendrecv_all_ports(arpwatch_t) | |
4483ee84 CP |
65 | |
66 | dev_read_sysfs(arpwatch_t) | |
b0076a14 | 67 | dev_rw_generic_usb_dev(arpwatch_t) |
4483ee84 CP |
68 | |
69 | fs_getattr_all_fs(arpwatch_t) | |
70 | fs_search_auto_mountpoints(arpwatch_t) | |
71 | ||
8021cb4f | 72 | corecmd_read_bin_symlinks(arpwatch_t) |
4483ee84 | 73 | |
15722ec9 | 74 | domain_use_interactive_fds(arpwatch_t) |
4483ee84 CP |
75 | |
76 | files_read_etc_files(arpwatch_t) | |
77 | files_read_usr_files(arpwatch_t) | |
78 | files_search_var_lib(arpwatch_t) | |
79 | ||
f7101c54 CP |
80 | auth_use_nsswitch(arpwatch_t) |
81 | ||
4483ee84 CP |
82 | logging_send_syslog_msg(arpwatch_t) |
83 | ||
84 | miscfiles_read_localization(arpwatch_t) | |
85 | ||
296273a7 | 86 | userdom_dontaudit_search_user_home_dirs(arpwatch_t) |
15722ec9 | 87 | userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) |
4483ee84 CP |
88 | |
89 | mta_send_mail(arpwatch_t) | |
90 | ||
bb7170f6 | 91 | optional_policy(` |
4483ee84 CP |
92 | seutil_sigchld_newrole(arpwatch_t) |
93 | ') | |
94 | ||
bb7170f6 | 95 | optional_policy(` |
4483ee84 CP |
96 | udev_read_db(arpwatch_t) |
97 | ') |