288845a638
Signed-off-by: Dominick Grift <domg472@gmail.com>
157 lines
3.1 KiB
Plaintext
157 lines
3.1 KiB
Plaintext
## <summary>Ethernet activity monitor.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute arpwatch server in the arpwatch domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`arpwatch_initrc_domtrans',`
|
|
gen_require(`
|
|
type arpwatch_initrc_exec_t;
|
|
')
|
|
|
|
init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search arpwatch's data file directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`arpwatch_search_data',`
|
|
gen_require(`
|
|
type arpwatch_data_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
allow $1 arpwatch_data_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create arpwatch data files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`arpwatch_manage_data_files',`
|
|
gen_require(`
|
|
type arpwatch_data_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write arpwatch temporary files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`arpwatch_rw_tmp_files',`
|
|
gen_require(`
|
|
type arpwatch_tmp_t;
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
allow $1 arpwatch_tmp_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write arpwatch temporary files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`arpwatch_manage_tmp_files',`
|
|
gen_require(`
|
|
type arpwatch_tmp_t;
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
allow $1 arpwatch_tmp_t:file manage_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and write
|
|
## arpwatch packet sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`arpwatch_dontaudit_rw_packet_sockets',`
|
|
gen_require(`
|
|
type arpwatch_t;
|
|
')
|
|
|
|
dontaudit $1 arpwatch_t:packet_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to administrate
|
|
## an arpwatch environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The role to be allowed to manage the arpwatch domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`arpwatch_admin',`
|
|
gen_require(`
|
|
type arpwatch_t, arpwatch_tmp_t;
|
|
type arpwatch_data_t, arpwatch_var_run_t;
|
|
type arpwatch_initrc_exec_t;
|
|
')
|
|
|
|
allow $1 arpwatch_t:process { ptrace signal_perms getattr };
|
|
ps_process_pattern($1, arpwatch_t)
|
|
|
|
arpwatch_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 arpwatch_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
files_list_tmp($1)
|
|
admin_pattern($1, arpwatch_tmp_t)
|
|
|
|
files_list_var($1)
|
|
admin_pattern($1, arpwatch_data_t)
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, arpwatch_var_run_t)
|
|
')
|