From: domg472@gmail.com (Dominick Grift) Date: Thu, 04 Mar 2010 18:16:33 +0100 Subject: [refpolicy] [ arpwatch patch 1/1] Various arpwatch fixes. In-Reply-To: <1267712606.11679.6.camel@gorn.columbia.tresys.com> References: <20100224124137.GA6244@localhost.localdomain> <1267712606.11679.6.camel@gorn.columbia.tresys.com> Message-ID: <4B8FEAF1.4010100@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/04/2010 03:23 PM, Christopher J. PeBenito wrote: > On Wed, 2010-02-24 at 13:41 +0100, Dominick Grift wrote: >> Allow domains to search /var/lib to enable interaction with arpwatch data. >> Allow domains to search /tmp to enable interaction with arpwatch tmp content. >> Create arpwatch initrc domtrans. >> Call arpwatch initrc domtrans from arpwatch_admin. >> Remove obsolete require. > > Merged. Put arpwatch_initrc_exec_t back into the arpwatch_admin() > require, since it is explicitly used in the interface. But it is also a require in the interface. So basically now its two times included in the arpwatch_admin. I don't see what thats needed if i for example call files_read_etc_file(bla_t) Then i dont have to also require type etc_t becuase the interface already requires it.. > >> Signed-off-by: Dominick Grift >> --- >> :100644 100644 92e2dc8... 0c3e830... M policy/modules/services/arpwatch.if >> policy/modules/services/arpwatch.if | 25 +++++++++++++++++++++++-- >> 1 files changed, 23 insertions(+), 2 deletions(-) >> >> diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if >> index 92e2dc8..0c3e830 100644 >> --- a/policy/modules/services/arpwatch.if >> +++ b/policy/modules/services/arpwatch.if >> @@ -2,6 +2,24 @@ >> >> ######################################## >> ##

>> +## Execute arpwatch server in the arpwatch domain. >> +##

>> +## >> +##

>> +## The type of the process performing this action. >> +##

>> +## >> +# >> +interface(`arpwatch_initrc_domtrans',` >> + gen_require(` >> + type arpwatch_initrc_exec_t; >> + ') >> + >> + init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) >> +') >> + >> +######################################## >> +##

>> ## Search arpwatch's data file directories. >> ##

>> ## >> @@ -15,6 +33,7 @@ interface(`arpwatch_search_data',` >> type arpwatch_data_t; >> ') >> >> + files_search_var_lib($1) >> allow $1 arpwatch_data_t:dir search_dir_perms; >> ') >> >> @@ -33,6 +52,7 @@ interface(`arpwatch_manage_data_files',` >> type arpwatch_data_t; >> ') >> >> + files_search_var_lib($1) >> manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t) >> ') >> >> @@ -51,6 +71,7 @@ interface(`arpwatch_rw_tmp_files',` >> type arpwatch_tmp_t; >> ') >> >> + files_search_tmp($1) >> allow $1 arpwatch_tmp_t:file rw_file_perms; >> ') >> >> @@ -69,6 +90,7 @@ interface(`arpwatch_manage_tmp_files',` >> type arpwatch_tmp_t; >> ') >> >> + files_search_tmp($1) >> allow $1 arpwatch_tmp_t:file manage_file_perms; >> ') >> >> @@ -112,13 +134,12 @@ interface(`arpwatch_admin',` >> gen_require(` >> type arpwatch_t, arpwatch_tmp_t; >> type arpwatch_data_t, arpwatch_var_run_t; >> - type arpwatch_initrc_exec_t; >> ') >> >> allow $1 arpwatch_t:process { ptrace signal_perms getattr }; >> ps_process_pattern($1, arpwatch_t) >> >> - init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) >> + arpwatch_initrc_domtrans($1) >> domain_system_change_exemption($1) >> role_transition $2 arpwatch_initrc_exec_t system_r; >> allow $2 system_r; >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100304/6c25a555/attachment-0001.bin