#DESC arpwatch - keep track of ethernet/ip address pairings # # Author: Dan Walsh <dwalsh@redhat.com> # ################################# # # Rules for the arpwatch_t domain. # # arpwatch_exec_t is the type of the arpwatch executable. # daemon_domain(arpwatch, `, privmail') # for files created by arpwatch type arpwatch_data_t, file_type, sysadmfile; create_dir_file(arpwatch_t,arpwatch_data_t) tmp_domain(arpwatch) allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; can_network_server(arpwatch_t) allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms; allow arpwatch_t self:udp_socket create_socket_perms; allow arpwatch_t self:unix_dgram_socket create_socket_perms; allow arpwatch_t self:packet_socket create_socket_perms; allow arpwatch_t self:unix_stream_socket create_stream_socket_perms; allow arpwatch_t { sbin_t var_lib_t }:dir search; allow arpwatch_t sbin_t:lnk_file read; r_dir_file(arpwatch_t, etc_t) r_dir_file(arpwatch_t, usr_t) can_ypbind(arpwatch_t) ifdef(`qmail.te', ` allow arpwatch_t bin_t:dir search; ') ifdef(`distro_gentoo', ` allow initrc_t arpwatch_data_t:dir { add_name write }; allow initrc_t arpwatch_data_t:file create; ')dnl end distro_gentoo # why is mail delivered to a directory of type arpwatch_data_t? allow mta_delivery_agent arpwatch_data_t:dir search; allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms; ifdef(`hide_broken_symptoms', ` dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write }; ')