#DESC arpwatch - keep track of ethernet/ip address pairings
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
#################################
#
# Rules for the arpwatch_t domain.
#
# arpwatch_exec_t is the type of the arpwatch executable.
#
daemon_domain(arpwatch, `, privmail')
# for files created by arpwatch
type arpwatch_data_t, file_type, sysadmfile;
create_dir_file(arpwatch_t,arpwatch_data_t)
tmp_domain(arpwatch)
allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
can_network_server(arpwatch_t)
allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
allow arpwatch_t self:udp_socket create_socket_perms;
allow arpwatch_t self:unix_dgram_socket create_socket_perms;
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
allow arpwatch_t { sbin_t var_lib_t }:dir search;
allow arpwatch_t sbin_t:lnk_file read;
r_dir_file(arpwatch_t, etc_t)
r_dir_file(arpwatch_t, usr_t)
can_ypbind(arpwatch_t)
ifdef(`qmail.te', `
allow arpwatch_t bin_t:dir search;
')
ifdef(`distro_gentoo', `
allow initrc_t arpwatch_data_t:dir { add_name write };
allow initrc_t arpwatch_data_t:file create;
')dnl end distro_gentoo