Various arpwatch fixes.

Allow domains to search /var/lib to enable interaction with arpwatch data. Allow domains to search /tmp to enable interaction with arpwatch tmp content. Create arpwatch initrc domtrans. Call arpwatch initrc domtrans from arpwatch_admin. Remove obsolete require. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-02-24 13:41:39 +01:00 · 2010-02-24 13:41:39 +01:00 · d783374bc9
commit d783374bc9
parent 6eed0aa57c
1 changed files with 23 additions and 2 deletions
--- a/policy/modules/services/arpwatch.if
+++ b/policy/modules/services/arpwatch.if
@ -1,5 +1,23 @@
 ## <summary>Ethernet activity monitor.</summary>

+########################################
+## <summary>
+##	Execute arpwatch server in the arpwatch domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_initrc_domtrans',`
+	gen_require(`
+		type arpwatch_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Search arpwatch's data file directories.
@ -15,6 +33,7 @@ interface(`arpwatch_search_data',`
 		type arpwatch_data_t;
 	')

+	files_search_var_lib($1)
 	allow $1 arpwatch_data_t:dir search_dir_perms;
 ')

@ -33,6 +52,7 @@ interface(`arpwatch_manage_data_files',`
 		type arpwatch_data_t;
 	')

+	files_search_var_lib($1)
 	manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
 ')

@ -51,6 +71,7 @@ interface(`arpwatch_rw_tmp_files',`
 		type arpwatch_tmp_t;
 	')

+	files_search_tmp($1)
 	allow $1 arpwatch_tmp_t:file rw_file_perms;
 ')

@ -69,6 +90,7 @@ interface(`arpwatch_manage_tmp_files',`
 		type arpwatch_tmp_t;
 	')

+	files_search_tmp($1)
 	allow $1 arpwatch_tmp_t:file manage_file_perms;
 ')

@ -112,13 +134,12 @@ interface(`arpwatch_admin',`
 	gen_require(`
 		type arpwatch_t, arpwatch_tmp_t;
 		type arpwatch_data_t, arpwatch_var_run_t;
-		type arpwatch_initrc_exec_t;
 	')

 	allow $1 arpwatch_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, arpwatch_t)

-	init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+	arpwatch_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 arpwatch_initrc_exec_t system_r;
 	allow $2 system_r;