]>
Commit | Line | Data |
---|---|---|
4483ee84 | 1 | |
0251df3e | 2 | policy_module(arpwatch,1.3.0) |
4483ee84 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type arpwatch_t; | |
10 | type arpwatch_exec_t; | |
11 | init_daemon_domain(arpwatch_t,arpwatch_exec_t) | |
12 | ||
13 | type arpwatch_data_t; | |
14 | files_type(arpwatch_data_t) | |
15 | ||
16 | type arpwatch_tmp_t; | |
17 | files_tmp_file(arpwatch_tmp_t) | |
18 | ||
19 | type arpwatch_var_run_t; | |
20 | files_pid_file(arpwatch_var_run_t) | |
21 | ||
22 | ######################################## | |
23 | # | |
24 | # Local policy | |
25 | # | |
26 | allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; | |
27 | dontaudit arpwatch_t self:capability sys_tty_config; | |
28 | allow arpwatch_t self:process signal_perms; | |
29 | allow arpwatch_t self:unix_dgram_socket create_socket_perms; | |
30 | allow arpwatch_t self:unix_stream_socket create_stream_socket_perms; | |
31 | allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms; | |
32 | allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; | |
33 | allow arpwatch_t self:udp_socket create_socket_perms; | |
34 | allow arpwatch_t self:packet_socket create_socket_perms; | |
35 | ||
c0868a7a CP |
36 | manage_dirs_pattern(arpwatch_t,arpwatch_data_t,arpwatch_data_t) |
37 | manage_files_pattern(arpwatch_t,arpwatch_data_t,arpwatch_data_t) | |
38 | manage_lnk_files_pattern(arpwatch_t,arpwatch_data_t,arpwatch_data_t) | |
4483ee84 | 39 | |
c0868a7a CP |
40 | manage_dirs_pattern(arpwatch_t,arpwatch_tmp_t,arpwatch_tmp_t) |
41 | manage_files_pattern(arpwatch_t,arpwatch_tmp_t,arpwatch_tmp_t) | |
103fe280 | 42 | files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) |
4483ee84 | 43 | |
c0868a7a | 44 | manage_files_pattern(arpwatch_t,arpwatch_var_run_t,arpwatch_var_run_t) |
1c1ac67f | 45 | files_pid_filetrans(arpwatch_t,arpwatch_var_run_t,file) |
4483ee84 | 46 | |
445522dc | 47 | kernel_read_kernel_sysctls(arpwatch_t) |
4483ee84 CP |
48 | kernel_list_proc(arpwatch_t) |
49 | kernel_read_proc_symlinks(arpwatch_t) | |
50 | ||
b516e80f | 51 | corenet_non_ipsec_sendrecv(arpwatch_t) |
4483ee84 CP |
52 | corenet_tcp_sendrecv_all_if(arpwatch_t) |
53 | corenet_udp_sendrecv_all_if(arpwatch_t) | |
54 | corenet_raw_sendrecv_all_if(arpwatch_t) | |
55 | corenet_tcp_sendrecv_all_nodes(arpwatch_t) | |
56 | corenet_udp_sendrecv_all_nodes(arpwatch_t) | |
57 | corenet_raw_sendrecv_all_nodes(arpwatch_t) | |
58 | corenet_tcp_sendrecv_all_ports(arpwatch_t) | |
59 | corenet_udp_sendrecv_all_ports(arpwatch_t) | |
4483ee84 CP |
60 | |
61 | dev_read_sysfs(arpwatch_t) | |
62 | ||
63 | fs_getattr_all_fs(arpwatch_t) | |
64 | fs_search_auto_mountpoints(arpwatch_t) | |
65 | ||
8021cb4f | 66 | corecmd_read_bin_symlinks(arpwatch_t) |
4483ee84 | 67 | |
15722ec9 | 68 | domain_use_interactive_fds(arpwatch_t) |
4483ee84 CP |
69 | |
70 | files_read_etc_files(arpwatch_t) | |
71 | files_read_usr_files(arpwatch_t) | |
72 | files_search_var_lib(arpwatch_t) | |
73 | ||
4483ee84 CP |
74 | libs_use_ld_so(arpwatch_t) |
75 | libs_use_shared_libs(arpwatch_t) | |
76 | ||
77 | logging_send_syslog_msg(arpwatch_t) | |
78 | ||
79 | miscfiles_read_localization(arpwatch_t) | |
80 | ||
81 | sysnet_read_config(arpwatch_t) | |
82 | ||
15722ec9 | 83 | userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) |
103fe280 | 84 | userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t) |
4483ee84 CP |
85 | |
86 | mta_send_mail(arpwatch_t) | |
87 | ||
88 | ifdef(`targeted_policy',` | |
1815bad1 CP |
89 | term_dontaudit_use_unallocated_ttys(arpwatch_t) |
90 | term_dontaudit_use_generic_ptys(arpwatch_t) | |
9e04f5c5 | 91 | files_dontaudit_read_root_files(arpwatch_t) |
4483ee84 CP |
92 | ') |
93 | ||
bb7170f6 | 94 | optional_policy(` |
4483ee84 CP |
95 | nis_use_ypbind(arpwatch_t) |
96 | ') | |
97 | ||
bb7170f6 | 98 | optional_policy(` |
4483ee84 CP |
99 | corecmd_search_bin(arpwatch_t) |
100 | ') | |
101 | ||
bb7170f6 | 102 | optional_policy(` |
4483ee84 CP |
103 | seutil_sigchld_newrole(arpwatch_t) |
104 | ') | |
105 | ||
bb7170f6 | 106 | optional_policy(` |
4483ee84 CP |
107 | udev_read_db(arpwatch_t) |
108 | ') |