Various arpwatch fixes.
Allow domains to search /var/lib to enable interaction with arpwatch data. Allow domains to search /tmp to enable interaction with arpwatch tmp content. Create arpwatch initrc domtrans. Call arpwatch initrc domtrans from arpwatch_admin. Remove obsolete require. Signed-off-by: Dominick Grift <domg472@gmail.com>
This commit is contained in:
Dominick Grift
Chris PeBenito
parent
6eed0aa57c
commit
d783374bc9
@ -1,5 +1,23 @@
|
|||||||
## <summary>Ethernet activity monitor.</summary>
|
## <summary>Ethernet activity monitor.</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute arpwatch server in the arpwatch domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`arpwatch_initrc_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type arpwatch_initrc_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Search arpwatch's data file directories.
|
## Search arpwatch's data file directories.
|
||||||
@ -15,6 +33,7 @@ interface(`arpwatch_search_data',`
|
|||||||
type arpwatch_data_t;
|
type arpwatch_data_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
allow $1 arpwatch_data_t:dir search_dir_perms;
|
allow $1 arpwatch_data_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -33,6 +52,7 @@ interface(`arpwatch_manage_data_files',`
|
|||||||
type arpwatch_data_t;
|
type arpwatch_data_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
|
manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -51,6 +71,7 @@ interface(`arpwatch_rw_tmp_files',`
|
|||||||
type arpwatch_tmp_t;
|
type arpwatch_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_tmp($1)
|
||||||
allow $1 arpwatch_tmp_t:file rw_file_perms;
|
allow $1 arpwatch_tmp_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -69,6 +90,7 @@ interface(`arpwatch_manage_tmp_files',`
|
|||||||
type arpwatch_tmp_t;
|
type arpwatch_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_tmp($1)
|
||||||
allow $1 arpwatch_tmp_t:file manage_file_perms;
|
allow $1 arpwatch_tmp_t:file manage_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -112,13 +134,12 @@ interface(`arpwatch_admin',`
|
|||||||
gen_require(`
|
gen_require(`
|
||||||
type arpwatch_t, arpwatch_tmp_t;
|
type arpwatch_t, arpwatch_tmp_t;
|
||||||
type arpwatch_data_t, arpwatch_var_run_t;
|
type arpwatch_data_t, arpwatch_var_run_t;
|
||||||
type arpwatch_initrc_exec_t;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 arpwatch_t:process { ptrace signal_perms getattr };
|
allow $1 arpwatch_t:process { ptrace signal_perms getattr };
|
||||||
ps_process_pattern($1, arpwatch_t)
|
ps_process_pattern($1, arpwatch_t)
|
||||||
|
|
||||||
init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
|
arpwatch_initrc_domtrans($1)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 arpwatch_initrc_exec_t system_r;
|
role_transition $2 arpwatch_initrc_exec_t system_r;
|
||||||
allow $2 system_r;
|
allow $2 system_r;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user