From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [Amanda 1/1] Clean up Amanda module.
Date: Fri, 3 Sep 2010 17:46:51 +0200 [thread overview]
Message-ID: <20100903154648.GA27648@localhost.localdomain> (raw)
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 734bd71... e3e0701... M policy/modules/admin/amanda.fc
:100644 100644 d1d035e... 8498e97... M policy/modules/admin/amanda.if
:100644 100644 8b6bef6... 123ab37... M policy/modules/admin/amanda.te
policy/modules/admin/amanda.fc | 4 +---
policy/modules/admin/amanda.if | 28 ++++++++++++++++------------
policy/modules/admin/amanda.te | 21 ++-------------------
3 files changed, 19 insertions(+), 34 deletions(-)
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index 734bd71..e3e0701 100644
--- a/policy/modules/admin/amanda.fc
+++ b/policy/modules/admin/amanda.fc
@@ -1,4 +1,3 @@
-
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
@@ -8,13 +7,12 @@
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
-/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0)
-
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
index d1d035e..8498e97 100644
--- a/policy/modules/admin/amanda.if
+++ b/policy/modules/admin/amanda.if
@@ -1,8 +1,9 @@
-## <summary>Automated backup program.</summary>
+## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
########################################
## <summary>
-## Execute amrecover in the amanda_recover domain.
+## Execute a domain transition to run
+## Amanda recover.
## </summary>
## <param name="domain">
## <summary>
@@ -15,13 +16,15 @@ interface(`amanda_domtrans_recover',`
type amanda_recover_t, amanda_recover_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
')
########################################
## <summary>
-## Execute amrecover in the amanda_recover domain, and
-## allow the specified role the amanda_recover domain.
+## Execute a domain transition to run
+## Amanda recover, and allow the specified
+## role the Amanda recover domain.
## </summary>
## <param name="domain">
## <summary>
@@ -46,7 +49,7 @@ interface(`amanda_run_recover',`
########################################
## <summary>
-## Search amanda library directories.
+## Search Amanda library directories.
## </summary>
## <param name="domain">
## <summary>
@@ -59,8 +62,8 @@ interface(`amanda_search_lib',`
type amanda_usr_lib_t;
')
- allow $1 amanda_usr_lib_t:dir search_dir_perms;
files_search_usr($1)
+ allow $1 amanda_usr_lib_t:dir search_dir_perms;
')
########################################
@@ -83,7 +86,7 @@ interface(`amanda_dontaudit_read_dumpdates',`
########################################
## <summary>
-## Allow read/writing /etc/dumpdates.
+## Read and write /etc/dumpdates.
## </summary>
## <param name="domain">
## <summary>
@@ -96,12 +99,13 @@ interface(`amanda_rw_dumpdates_files',`
type amanda_dumpdates_t;
')
+ files_search_etc($1)
allow $1 amanda_dumpdates_t:file rw_file_perms;
')
########################################
## <summary>
-## Search amanda library directories.
+## Search Amanda library directories.
## </summary>
## <param name="domain">
## <summary>
@@ -114,13 +118,13 @@ interface(`amanda_manage_lib',`
type amanda_usr_lib_t;
')
- allow $1 amanda_usr_lib_t:dir manage_dir_perms;
files_search_usr($1)
+ allow $1 amanda_usr_lib_t:dir manage_dir_perms;
')
########################################
## <summary>
-## Allow read/writing amanda logs
+## Read and append amanda logs.
## </summary>
## <param name="domain">
## <summary>
@@ -133,12 +137,13 @@ interface(`amanda_append_log_files',`
type amanda_log_t;
')
+ logging_search_logs($1)
allow $1 amanda_log_t:file { read_file_perms append_file_perms };
')
#######################################
## <summary>
-## Search amanda var library directories.
+## Search Amanda var library directories.
## </summary>
## <param name="domain">
## <summary>
@@ -153,5 +158,4 @@ interface(`amanda_search_var_lib',`
files_search_var_lib($1)
allow $1 amanda_var_lib_t:dir search_dir_perms;
-
')
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 8b6bef6..123ab37 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -16,44 +16,35 @@ domain_entry_file(amanda_t, amanda_exec_t)
type amanda_log_t;
logging_log_file(amanda_log_t)
-# type for amanda configurations files
type amanda_config_t;
files_type(amanda_config_t)
-# type for files in /usr/lib/amanda
type amanda_usr_lib_t;
files_type(amanda_usr_lib_t)
-# type for all files in /var/lib/amanda
type amanda_var_lib_t;
files_type(amanda_var_lib_t)
-# type for all files in /var/lib/amanda/gnutar-lists/
type amanda_gnutarlists_t;
files_type(amanda_gnutarlists_t)
type amanda_tmp_t;
files_tmp_file(amanda_tmp_t)
-# type for /etc/amandates
type amanda_amandates_t;
files_type(amanda_amandates_t)
-# type for /etc/dumpdates
type amanda_dumpdates_t;
files_type(amanda_dumpdates_t)
-# type for amanda data
type amanda_data_t;
files_type(amanda_data_t)
-# type for amrecover
type amanda_recover_t;
type amanda_recover_exec_t;
application_domain(amanda_recover_t, amanda_recover_exec_t)
role system_r types amanda_recover_t;
-# type for recover files ( restored data )
type amanda_recover_dir_t;
files_type(amanda_recover_dir_t)
@@ -74,24 +65,19 @@ allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
allow amanda_t self:udp_socket create_socket_perms;
-# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file rw_file_perms;
-# configuration files -> read only
allow amanda_t amanda_config_t:file read_file_perms;
-# access to amandas data structure
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
-# access to amanda_dumpdates_t
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
can_exec(amanda_t, amanda_exec_t)
can_exec(amanda_t, amanda_inetd_exec_t)
-# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
@@ -151,19 +137,17 @@ storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
storage_write_tape(amanda_t)
-# Added for targeted policy
term_use_unallocated_ttys(amanda_t)
auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t)
-optional_policy(`
- logging_send_syslog_msg(amanda_t)
-')
+logging_send_syslog_msg(amanda_t)
########################################
#
# Amanda recover local policy
+#
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
allow amanda_recover_t self:process { sigkill sigstop signal };
@@ -175,7 +159,6 @@ allow amanda_recover_t self:udp_socket create_socket_perms;
manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
-# access to amanda_recover_dir_t
manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/69281b5a/attachment.bin
next reply other threads:[~2010-09-03 15:46 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-03 15:46 Dominick Grift [this message]
2010-09-09 12:13 ` [refpolicy] [Amanda 1/1] Clean up Amanda module Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100903154648.GA27648@localhost.localdomain \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.