rpms / selinux-policy

Clone
Source Code
GIT

Blame strict/domains/program/arpwatch.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   ba35e4d410e53e771fdce6210ccab352c7f931d8
  2.   strict
  3.   domains
  4.   program
  5.   arpwatch.te
Blob History Raw
Chris PeBenito 0fbfa5 
#DESC arpwatch -  keep track of ethernet/ip address pairings
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Author:  Dan Walsh <dwalsh@redhat.com>
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Rules for the arpwatch_t domain.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# arpwatch_exec_t is the type of the arpwatch executable.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
daemon_domain(arpwatch, `, privmail')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# for files created by arpwatch
Chris PeBenito 0fbfa5 
type arpwatch_data_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5 
create_dir_file(arpwatch_t,arpwatch_data_t)
Chris PeBenito 0fbfa5 
tmp_domain(arpwatch)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
can_network_server(arpwatch_t)
Chris PeBenito 0fbfa5 
allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
Chris PeBenito 0fbfa5 
allow arpwatch_t self:udp_socket create_socket_perms;
Chris PeBenito 0fbfa5 
allow arpwatch_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5 
allow arpwatch_t self:packet_socket create_socket_perms;
Chris PeBenito 0fbfa5 
allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow arpwatch_t { sbin_t var_lib_t }:dir search;
Chris PeBenito 0fbfa5 
allow arpwatch_t sbin_t:lnk_file read;
Chris PeBenito 0fbfa5 
r_dir_file(arpwatch_t, etc_t)
Chris PeBenito 0fbfa5 
r_dir_file(arpwatch_t, usr_t)
Chris PeBenito 0fbfa5 
can_ypbind(arpwatch_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
ifdef(`qmail.te', `
Chris PeBenito 0fbfa5 
allow arpwatch_t bin_t:dir search;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
ifdef(`distro_gentoo', `
Chris PeBenito 0fbfa5 
allow initrc_t arpwatch_data_t:dir { add_name write };
Chris PeBenito 0fbfa5 
allow initrc_t arpwatch_data_t:file create;
Chris PeBenito 0fbfa5 
')dnl end distro_gentoo
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9 
# why is mail delivered to a directory of type arpwatch_data_t?
Chris PeBenito 2705f9 
allow mta_delivery_agent arpwatch_data_t:dir search;
Chris PeBenito 2705f9 
allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
Chris PeBenito 2705f9 
ifdef(`hide_broken_symptoms', `
Chris PeBenito 2705f9 
dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
Chris PeBenito 2705f9 
')

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation