Various arpwatch fixes.
Allow domains to search /var/lib to enable interaction with arpwatch data. Allow domains to search /tmp to enable interaction with arpwatch tmp content. Create arpwatch initrc domtrans. Call arpwatch initrc domtrans from arpwatch_admin. Remove obsolete require. Signed-off-by: Dominick Grift <domg472@gmail.com>
This commit is contained in:
Dominick Grift
Chris PeBenito
parent
6eed0aa57c
commit
d783374bc9
@ -1,5 +1,23 @@
|
||||
## <summary>Ethernet activity monitor.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute arpwatch server in the arpwatch domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`arpwatch_initrc_domtrans',`
|
||||
gen_require(`
|
||||
type arpwatch_initrc_exec_t;
|
||||
')
|
||||
|
||||
init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search arpwatch's data file directories.
|
||||
@ -15,6 +33,7 @@ interface(`arpwatch_search_data',`
|
||||
type arpwatch_data_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 arpwatch_data_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
@ -33,6 +52,7 @@ interface(`arpwatch_manage_data_files',`
|
||||
type arpwatch_data_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
|
||||
')
|
||||
|
||||
@ -51,6 +71,7 @@ interface(`arpwatch_rw_tmp_files',`
|
||||
type arpwatch_tmp_t;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
allow $1 arpwatch_tmp_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
@ -69,6 +90,7 @@ interface(`arpwatch_manage_tmp_files',`
|
||||
type arpwatch_tmp_t;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
allow $1 arpwatch_tmp_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
@ -112,13 +134,12 @@ interface(`arpwatch_admin',`
|
||||
gen_require(`
|
||||
type arpwatch_t, arpwatch_tmp_t;
|
||||
type arpwatch_data_t, arpwatch_var_run_t;
|
||||
type arpwatch_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 arpwatch_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, arpwatch_t)
|
||||
|
||||
init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
|
||||
arpwatch_initrc_domtrans($1)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 arpwatch_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user