From: domg472@gmail.com (Dominick Grift)
Date: Wed, 24 Feb 2010 13:41:39 +0100
Subject: [refpolicy] [ arpwatch patch 1/1] Various arpwatch fixes.
Message-ID: <20100224124137.GA6244@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Allow domains to search /var/lib to enable interaction with arpwatch data.
Allow domains to search /tmp to enable interaction with arpwatch tmp content.
Create arpwatch initrc domtrans.
Call arpwatch initrc domtrans from arpwatch_admin.
Remove obsolete require.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 92e2dc8... 0c3e830... M	policy/modules/services/arpwatch.if
 policy/modules/services/arpwatch.if |   25 +++++++++++++++++++++++--
 1 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
index 92e2dc8..0c3e830 100644
--- a/policy/modules/services/arpwatch.if
+++ b/policy/modules/services/arpwatch.if
@@ -2,6 +2,24 @@
 
 ########################################
 ## <summary>
+##	Execute arpwatch server in the arpwatch domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_initrc_domtrans',`
+	gen_require(`
+		type arpwatch_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+')
+
+########################################
+## <summary>
 ##	Search arpwatch's data file directories.
 ## </summary>
 ## <param name="domain">
@@ -15,6 +33,7 @@ interface(`arpwatch_search_data',`
 		type arpwatch_data_t;
 	')
 
+	files_search_var_lib($1)
 	allow $1 arpwatch_data_t:dir search_dir_perms;
 ')
 
@@ -33,6 +52,7 @@ interface(`arpwatch_manage_data_files',`
 		type arpwatch_data_t;
 	')
 
+	files_search_var_lib($1)
 	manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
 ')
 
@@ -51,6 +71,7 @@ interface(`arpwatch_rw_tmp_files',`
 		type arpwatch_tmp_t;
 	')
 
+	files_search_tmp($1)
 	allow $1 arpwatch_tmp_t:file rw_file_perms;
 ')
 
@@ -69,6 +90,7 @@ interface(`arpwatch_manage_tmp_files',`
 		type arpwatch_tmp_t;
 	')
 
+	files_search_tmp($1)
 	allow $1 arpwatch_tmp_t:file manage_file_perms;
 ')
 
@@ -112,13 +134,12 @@ interface(`arpwatch_admin',`
 	gen_require(`
 		type arpwatch_t, arpwatch_tmp_t;
 		type arpwatch_data_t, arpwatch_var_run_t;
-		type arpwatch_initrc_exec_t;
 	')
 
 	allow $1 arpwatch_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, arpwatch_t)
 
-	init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+	arpwatch_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 arpwatch_initrc_exec_t system_r;
 	allow $2 system_r;
-- 
1.6.6.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100224/f0ee28c2/attachment.bin