Ethernet activity monitor.

######################################## ##

## Execute arpwatch server in the ## arpwatch domain. ##

## ##

## Domain allowed to transition. ##

## # interface(`arpwatch_initrc_domtrans',` gen_require(` type arpwatch_initrc_exec_t; ') init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) ') ######################################## ##

## Search arpwatch data file directories. ##

## ##

## Domain allowed access. ##

## # interface(`arpwatch_search_data',` gen_require(` type arpwatch_data_t; ') files_search_var_lib($1) allow $1 arpwatch_data_t:dir search_dir_perms; ') ######################################## ##

## Create, read, write, and delete ## arpwatch data files. ##

## ##

## Domain allowed access. ##

## # interface(`arpwatch_manage_data_files',` gen_require(` type arpwatch_data_t; ') files_search_var_lib($1) manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t) ') ######################################## ##

## Read and write arpwatch temporary ## files. ##

## ##

## Domain allowed access. ##

## # interface(`arpwatch_rw_tmp_files',` gen_require(` type arpwatch_tmp_t; ') files_search_tmp($1) allow $1 arpwatch_tmp_t:file rw_file_perms; ') ######################################## ##

## Create, read, write, and delete ## arpwatch temporary files. ##

## ##

## Domain allowed access. ##

## # interface(`arpwatch_manage_tmp_files',` gen_require(` type arpwatch_tmp_t; ') files_search_tmp($1) allow $1 arpwatch_tmp_t:file manage_file_perms; ') ######################################## ##

## Do not audit attempts to read and ## write arpwatch packet sockets. ##

## ##

## Domain to not audit. ##

## # interface(`arpwatch_dontaudit_rw_packet_sockets',` gen_require(` type arpwatch_t; ') dontaudit $1 arpwatch_t:packet_socket { read write }; ') ######################################## ##

## Execute arpwatch server in the arpwatch domain. ##

## ##

## Domain allowed to transition. ##

## # interface(`arpwatch_systemctl',` gen_require(` type arpwatch_t; type arpwatch_unit_file_t; ') systemd_exec_systemctl($1) allow $1 arpwatch_unit_file_t:file read_file_perms; allow $1 arpwatch_unit_file_t:service manage_service_perms; ps_process_pattern($1, arpwatch_t) ') ######################################## ##

## All of the rules required to ## administrate an arpwatch environment. ##

## ##

## Domain allowed access. ##

## ## ##

## Role allowed access. ##

## ## # interface(`arpwatch_admin',` gen_require(` type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t; type arpwatch_data_t, arpwatch_var_run_t; type arpwatch_unit_file_t; ') allow $1 arpwatch_t:process signal_perms; ps_process_pattern($1, arpwatch_t) tunable_policy(`deny_ptrace',`',` allow $1 arpwatch_t:process ptrace; ') arpwatch_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 arpwatch_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, arpwatch_tmp_t) files_list_var($1) admin_pattern($1, arpwatch_data_t) files_list_pids($1) admin_pattern($1, arpwatch_var_run_t) arpwatch_systemctl($1) admin_pattern($1, arpwatch_unit_file_t) allow $1 arpwatch_unit_file_t:service all_service_perms; ')