policy/modules/services/arpwatch.te

   1 policy_module(arpwatch, 1.10.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type arpwatch_t;
   9 type arpwatch_exec_t;
  10 init_daemon_domain(arpwatch_t, arpwatch_exec_t)
  11
  12 type arpwatch_data_t;
  13 files_type(arpwatch_data_t)
  14
  15 type arpwatch_initrc_exec_t;
  16 init_script_file(arpwatch_initrc_exec_t)
  17
  18 type arpwatch_tmp_t;
  19 files_tmp_file(arpwatch_tmp_t)
  20
  21 type arpwatch_var_run_t;
  22 files_pid_file(arpwatch_var_run_t)
  23
  24 ########################################
  25 #
  26 # Local policy
  27 #
  28 allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
  29 dontaudit arpwatch_t self:capability sys_tty_config;
  30 allow arpwatch_t self:process signal_perms;
  31 allow arpwatch_t self:unix_dgram_socket create_socket_perms;
  32 allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
  33 allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
  34 allow arpwatch_t self:udp_socket create_socket_perms;
  35 allow arpwatch_t self:packet_socket create_socket_perms;
  36 allow arpwatch_t self:socket create_socket_perms;
  37
  38 manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
  39 manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
  40 manage_lnk_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
  41
  42 manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
  43 manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
  44 files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
  45
  46 manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
  47 files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
  48
  49 kernel_read_network_state(arpwatch_t)
  50 # meminfo
  51 kernel_read_system_state(arpwatch_t)
  52 kernel_read_kernel_sysctls(arpwatch_t)
  53 kernel_read_proc_symlinks(arpwatch_t)
  54 kernel_request_load_module(arpwatch_t)
  55
  56 corenet_all_recvfrom_unlabeled(arpwatch_t)
  57 corenet_all_recvfrom_netlabel(arpwatch_t)
  58 corenet_tcp_sendrecv_generic_if(arpwatch_t)
  59 corenet_udp_sendrecv_generic_if(arpwatch_t)
  60 corenet_raw_sendrecv_generic_if(arpwatch_t)
  61 corenet_tcp_sendrecv_generic_node(arpwatch_t)
  62 corenet_udp_sendrecv_generic_node(arpwatch_t)
  63 corenet_raw_sendrecv_generic_node(arpwatch_t)
  64 corenet_tcp_sendrecv_all_ports(arpwatch_t)
  65 corenet_udp_sendrecv_all_ports(arpwatch_t)
  66
  67 dev_read_sysfs(arpwatch_t)
  68 dev_read_usbmon_dev(arpwatch_t)
  69 dev_rw_generic_usb_dev(arpwatch_t)
  70
  71 fs_getattr_all_fs(arpwatch_t)
  72 fs_search_auto_mountpoints(arpwatch_t)
  73
  74 corecmd_read_bin_symlinks(arpwatch_t)
  75
  76 domain_use_interactive_fds(arpwatch_t)
  77
  78 files_read_etc_files(arpwatch_t)
  79 files_read_usr_files(arpwatch_t)
  80 files_search_var_lib(arpwatch_t)
  81
  82 auth_use_nsswitch(arpwatch_t)
  83
  84 logging_send_syslog_msg(arpwatch_t)
  85
  86 miscfiles_read_localization(arpwatch_t)
  87
  88 userdom_dontaudit_search_user_home_dirs(arpwatch_t)
  89 userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
  90
  91 mta_send_mail(arpwatch_t)
  92
  93 optional_policy(`
  94         seutil_sigchld_newrole(arpwatch_t)
  95 ')
  96
  97 optional_policy(`
  98         udev_read_db(arpwatch_t)
  99 ')