Blob Blame History Raw
#DESC arpwatch -  keep track of ethernet/ip address pairings
#
# Author:  Dan Walsh <dwalsh@redhat.com>
#

#################################
#
# Rules for the arpwatch_t domain.
#
# arpwatch_exec_t is the type of the arpwatch executable.
#
daemon_domain(arpwatch, `, privmail')

# for files created by arpwatch
type arpwatch_data_t, file_type, sysadmfile;
create_dir_file(arpwatch_t,arpwatch_data_t)
tmp_domain(arpwatch)

allow arpwatch_t self:capability { net_admin net_raw setgid setuid };

can_network_server(arpwatch_t)
allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
allow arpwatch_t self:udp_socket create_socket_perms;
allow arpwatch_t self:unix_dgram_socket create_socket_perms;
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;

allow arpwatch_t { sbin_t var_lib_t }:dir search;
allow arpwatch_t sbin_t:lnk_file read;
r_dir_file(arpwatch_t, etc_t)
r_dir_file(arpwatch_t, usr_t)
can_ypbind(arpwatch_t)

ifdef(`qmail.te', `
allow arpwatch_t bin_t:dir search;
')

ifdef(`distro_gentoo', `
allow initrc_t arpwatch_data_t:dir { add_name write };
allow initrc_t arpwatch_data_t:file create;
')dnl end distro_gentoo