From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 04 Mar 2010 09:23:26 -0500
Subject: [refpolicy] [ arpwatch patch 1/1] Various arpwatch fixes.
In-Reply-To: <20100224124137.GA6244@localhost.localdomain>
References: <20100224124137.GA6244@localhost.localdomain>
Message-ID: <1267712606.11679.6.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2010-02-24 at 13:41 +0100, Dominick Grift wrote:
> Allow domains to search /var/lib to enable interaction with arpwatch data.
> Allow domains to search /tmp to enable interaction with arpwatch tmp content.
> Create arpwatch initrc domtrans.
> Call arpwatch initrc domtrans from arpwatch_admin.
> Remove obsolete require.

Merged.  Put arpwatch_initrc_exec_t back into the arpwatch_admin()
require, since it is explicitly used in the interface.


> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 92e2dc8... 0c3e830... M	policy/modules/services/arpwatch.if
>  policy/modules/services/arpwatch.if |   25 +++++++++++++++++++++++--
>  1 files changed, 23 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
> index 92e2dc8..0c3e830 100644
> --- a/policy/modules/services/arpwatch.if
> +++ b/policy/modules/services/arpwatch.if
> @@ -2,6 +2,24 @@
>  
>  ########################################
>  ## <summary>
> +##	Execute arpwatch server in the arpwatch domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +interface(`arpwatch_initrc_domtrans',`
> +	gen_require(`
> +		type arpwatch_initrc_exec_t;
> +	')
> +
> +	init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Search arpwatch's data file directories.
>  ## </summary>
>  ## <param name="domain">
> @@ -15,6 +33,7 @@ interface(`arpwatch_search_data',`
>  		type arpwatch_data_t;
>  	')
>  
> +	files_search_var_lib($1)
>  	allow $1 arpwatch_data_t:dir search_dir_perms;
>  ')
>  
> @@ -33,6 +52,7 @@ interface(`arpwatch_manage_data_files',`
>  		type arpwatch_data_t;
>  	')
>  
> +	files_search_var_lib($1)
>  	manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
>  ')
>  
> @@ -51,6 +71,7 @@ interface(`arpwatch_rw_tmp_files',`
>  		type arpwatch_tmp_t;
>  	')
>  
> +	files_search_tmp($1)
>  	allow $1 arpwatch_tmp_t:file rw_file_perms;
>  ')
>  
> @@ -69,6 +90,7 @@ interface(`arpwatch_manage_tmp_files',`
>  		type arpwatch_tmp_t;
>  	')
>  
> +	files_search_tmp($1)
>  	allow $1 arpwatch_tmp_t:file manage_file_perms;
>  ')
>  
> @@ -112,13 +134,12 @@ interface(`arpwatch_admin',`
>  	gen_require(`
>  		type arpwatch_t, arpwatch_tmp_t;
>  		type arpwatch_data_t, arpwatch_var_run_t;
> -		type arpwatch_initrc_exec_t;
>  	')
>  
>  	allow $1 arpwatch_t:process { ptrace signal_perms getattr };
>  	ps_process_pattern($1, arpwatch_t)
>  
> -	init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
> +	arpwatch_initrc_domtrans($1)
>  	domain_system_change_exemption($1)
>  	role_transition $2 arpwatch_initrc_exec_t system_r;
>  	allow $2 system_r;
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150