[refpolicy] [PATCH 0/2] Adding Bacula policy

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 0/2] Adding Bacula policy
@ 2012-03-01 20:17 Sven Vermeulen
  2012-03-01 20:18 ` [refpolicy] [PATCH 1/2] Policy for Bacula Sven Vermeulen
  2012-03-01 20:18 ` [refpolicy] [PATCH 2/2] Allow sysadm to call bacula client Sven Vermeulen
  0 siblings, 2 replies; 4+ messages in thread
From: Sven Vermeulen @ 2012-03-01 20:17 UTC (permalink / raw)
  To: refpolicy

The following two patches add the Bacula SELinux policy to the reference
policy. It is split in two:
- adding the bacula domain
- allowing the sysadm role to call the bacula admin client

Wkr,
	Sven Vermeulen

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH 1/2] Policy for Bacula
  2012-03-01 20:17 [refpolicy] [PATCH 0/2] Adding Bacula policy Sven Vermeulen
@ 2012-03-01 20:18 ` Sven Vermeulen
  2012-03-30 13:44   ` Christopher J. PeBenito
  2012-03-01 20:18 ` [refpolicy] [PATCH 2/2] Allow sysadm to call bacula client Sven Vermeulen
  1 sibling, 1 reply; 4+ messages in thread
From: Sven Vermeulen @ 2012-03-01 20:18 UTC (permalink / raw)
  To: refpolicy


This adds a new SELinux module "bacula" for the bacula backup application. Directly mapping bacula on the existing
backup module was not feasible (partially because it uses both a general domain and an administrative client domain).

Policy provided by Stan Sander through https://bugs.gentoo.org/show_bug.cgi?id=396241.
Policy updated with comments from Christopher J. PeBenito.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 bacula.fc |   20 ++++++++++
 bacula.if |   45 ++++++++++++++++++++++
 bacula.te |  122 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 187 insertions(+), 0 deletions(-)
 create mode 100644 bacula.fc
 create mode 100644 bacula.if
 create mode 100644 bacula.te

diff --git a/bacula.fc b/bacula.fc
new file mode 100644
index 0000000..b70b6d2
--- /dev/null
+++ b/bacula.fc
@@ -0,0 +1,20 @@
+#
+# /usr
+#
+/usr/sbin/bacula-(.*)?	--	gen_context(system_u:object_r:bacula_exec_t,s0)
+/usr/sbin/bat			gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+/usr/sbin/bconsole		gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+
+#
+# /etc
+#
+/etc/bacula(/.*)?		gen_context(system_u:object_r:bacula_etc_t,s0)
+
+# 
+# /var
+#
+/var/lib/bacula(/.*)?		gen_context(system_u:object_r:bacula_var_lib_t,s0)
+
+# A separate disk for backups mounted at /bacula or beginning with
+# /bacula also matches a restore directory like /bacula-restores
+/bacula(.*)?			gen_context(system_u:object_r:bacula_store_t,s0)
diff --git a/bacula.if b/bacula.if
new file mode 100644
index 0000000..6b1722e
--- /dev/null
+++ b/bacula.if
@@ -0,0 +1,45 @@
+## <summary>bacula backup program</summary>
+
+########################################
+## <summary>
+##	Execute user interfaces in the bacula_admin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bacula_domtrans_admin',`
+	gen_require(`
+		type bacula_admin_t, bacula_admin_exec_t;
+	')
+
+	domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t)
+')
+
+########################################
+## <summary>
+##	Execute user interfaces in the bacula_admin domain, and
+##	allow the specified role to transition to the bacula_admin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bacula_run_admin',`
+	gen_require(`
+		type bacula_admin_t;
+	')
+
+	bacula_domtrans_admin($1)
+	role $2 types bacula_admin_t;
+')
diff --git a/bacula.te b/bacula.te
new file mode 100644
index 0000000..f2ad364
--- /dev/null
+++ b/bacula.te
@@ -0,0 +1,122 @@
+policy_module(bacula, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bacula_t;
+type bacula_exec_t;
+init_daemon_domain(bacula_t, bacula_exec_t)
+
+type bacula_etc_t;
+files_type(bacula_etc_t)
+
+type bacula_store_t;
+files_type(bacula_store_t)
+files_mountpoint(bacula_store_t)
+
+type bacula_var_lib_t;
+files_type(bacula_var_lib_t)
+
+type bacula_var_run_t;
+files_pid_file(bacula_var_run_t)
+
+type bacula_admin_t;
+type bacula_admin_exec_t;
+application_domain(bacula_admin_t, bacula_admin_exec_t)
+
+########################################
+#
+# Local policy - bacula daemon
+#
+
+allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
+allow bacula_t self:process signal;
+allow bacula_t self:fifo_file rw_fifo_file_perms;
+allow bacula_t self:tcp_socket create_stream_socket_perms;
+allow bacula_t self:udp_socket create_socket_perms;
+allow bacula_t self:netlink_route_socket create_netlink_socket_perms;
+
+read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
+
+manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
+manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
+manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t)
+
+manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t)
+files_var_lib_filetrans(bacula_t, bacula_var_lib_t, file)
+
+allow bacula_t bacula_var_run_t:file { create_file_perms write_file_perms unlink};
+files_pid_filetrans(bacula_t, bacula_var_run_t, file)
+
+kernel_read_kernel_sysctls(bacula_t)
+kernel_read_system_state(bacula_t)
+
+corecmd_exec_bin(bacula_t)
+corecmd_exec_shell(bacula_t)
+
+corenet_tcp_bind_generic_node(bacula_t)
+corenet_udp_bind_generic_node(bacula_t)
+corenet_tcp_bind_generic_port(bacula_t)
+corenet_udp_bind_generic_port(bacula_t)
+corenet_tcp_bind_hplip_port(bacula_t)
+corenet_udp_bind_hplip_port(bacula_t)
+corenet_tcp_connect_all_ports(bacula_t)
+corenet_tcp_connect_smtp_port(bacula_t)
+# Bacula's default port are listed already under hplip
+
+dev_getattr_all_blk_files(bacula_t)
+dev_getattr_all_chr_files(bacula_t)
+
+files_dontaudit_getattr_all_sockets(bacula_t)
+files_read_all_files(bacula_t)
+files_read_all_symlinks(bacula_t)
+
+fs_getattr_xattr_fs(bacula_t)
+fs_list_all(bacula_t)
+
+auth_read_shadow(bacula_t)
+
+logging_send_syslog_msg(bacula_t)
+
+optional_policy(`
+	mysql_stream_connect(bacula_t)
+	mysql_tcp_connect(bacula_t)
+')
+	
+optional_policy(`
+	nis_use_ypbind(bacula_t)
+')
+
+optional_policy(`
+	sysnet_use_ldap(bacula_t)
+	ldap_stream_connect(bacula_t)
+')
+
+
+########################################
+#
+# Local policy - bacula admin client
+#
+allow bacula_admin_t self:process signal;
+allow bacula_admin_t self:tcp_socket create_stream_socket_perms;
+allow bacula_admin_t self:dgram_socket_class_set create_socket_perms;
+
+read_files_pattern(bacula_admin_t, bacula_etc_t, bacula_etc_t)
+
+corenet_tcp_connect_hplip_port(bacula_admin_t)
+corenet_udp_sendrecv_hplip_port(bacula_admin_t)
+
+domain_use_interactive_fds(bacula_admin_t)
+
+files_read_etc_files(bacula_admin_t)
+
+miscfiles_read_localization(bacula_admin_t)
+
+sysnet_dns_name_resolve(bacula_admin_t)
+
+userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
+userdom_use_user_ptys(bacula_admin_t)
+
+
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH 2/2] Allow sysadm to call bacula client
  2012-03-01 20:17 [refpolicy] [PATCH 0/2] Adding Bacula policy Sven Vermeulen
  2012-03-01 20:18 ` [refpolicy] [PATCH 1/2] Policy for Bacula Sven Vermeulen
@ 2012-03-01 20:18 ` Sven Vermeulen
  1 sibling, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2012-03-01 20:18 UTC (permalink / raw)
  To: refpolicy


This patch allows the sysadmin to run the bacula admin client.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/roles/sysadm.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 430c5e1..3f5690c 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -98,6 +98,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+        bacula_run_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	bind_run_ndc(sysadm_t, sysadm_r)
 ')
 
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH 1/2] Policy for Bacula
  2012-03-01 20:18 ` [refpolicy] [PATCH 1/2] Policy for Bacula Sven Vermeulen
@ 2012-03-30 13:44   ` Christopher J. PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2012-03-30 13:44 UTC (permalink / raw)
  To: refpolicy

On 03/01/12 15:18, Sven Vermeulen wrote:
> 
> This adds a new SELinux module "bacula" for the bacula backup application. Directly mapping bacula on the existing
> backup module was not feasible (partially because it uses both a general domain and an administrative client domain).
> 
> Policy provided by Stan Sander through https://bugs.gentoo.org/show_bug.cgi?id=396241.
> Policy updated with comments from Christopher J. PeBenito.

Merged.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  bacula.fc |   20 ++++++++++
>  bacula.if |   45 ++++++++++++++++++++++
>  bacula.te |  122 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 187 insertions(+), 0 deletions(-)
>  create mode 100644 bacula.fc
>  create mode 100644 bacula.if
>  create mode 100644 bacula.te
> 
> diff --git a/bacula.fc b/bacula.fc
> new file mode 100644
> index 0000000..b70b6d2
> --- /dev/null
> +++ b/bacula.fc
> @@ -0,0 +1,20 @@
> +#
> +# /usr
> +#
> +/usr/sbin/bacula-(.*)?	--	gen_context(system_u:object_r:bacula_exec_t,s0)
> +/usr/sbin/bat			gen_context(system_u:object_r:bacula_admin_exec_t,s0)
> +/usr/sbin/bconsole		gen_context(system_u:object_r:bacula_admin_exec_t,s0)
> +
> +#
> +# /etc
> +#
> +/etc/bacula(/.*)?		gen_context(system_u:object_r:bacula_etc_t,s0)
> +
> +# 
> +# /var
> +#
> +/var/lib/bacula(/.*)?		gen_context(system_u:object_r:bacula_var_lib_t,s0)
> +
> +# A separate disk for backups mounted at /bacula or beginning with
> +# /bacula also matches a restore directory like /bacula-restores
> +/bacula(.*)?			gen_context(system_u:object_r:bacula_store_t,s0)
> diff --git a/bacula.if b/bacula.if
> new file mode 100644
> index 0000000..6b1722e
> --- /dev/null
> +++ b/bacula.if
> @@ -0,0 +1,45 @@
> +## <summary>bacula backup program</summary>
> +
> +########################################
> +## <summary>
> +##	Execute user interfaces in the bacula_admin domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`bacula_domtrans_admin',`
> +	gen_require(`
> +		type bacula_admin_t, bacula_admin_exec_t;
> +	')
> +
> +	domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute user interfaces in the bacula_admin domain, and
> +##	allow the specified role to transition to the bacula_admin domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`bacula_run_admin',`
> +	gen_require(`
> +		type bacula_admin_t;
> +	')
> +
> +	bacula_domtrans_admin($1)
> +	role $2 types bacula_admin_t;
> +')
> diff --git a/bacula.te b/bacula.te
> new file mode 100644
> index 0000000..f2ad364
> --- /dev/null
> +++ b/bacula.te
> @@ -0,0 +1,122 @@
> +policy_module(bacula, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type bacula_t;
> +type bacula_exec_t;
> +init_daemon_domain(bacula_t, bacula_exec_t)
> +
> +type bacula_etc_t;
> +files_type(bacula_etc_t)
> +
> +type bacula_store_t;
> +files_type(bacula_store_t)
> +files_mountpoint(bacula_store_t)
> +
> +type bacula_var_lib_t;
> +files_type(bacula_var_lib_t)
> +
> +type bacula_var_run_t;
> +files_pid_file(bacula_var_run_t)
> +
> +type bacula_admin_t;
> +type bacula_admin_exec_t;
> +application_domain(bacula_admin_t, bacula_admin_exec_t)
> +
> +########################################
> +#
> +# Local policy - bacula daemon
> +#
> +
> +allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
> +allow bacula_t self:process signal;
> +allow bacula_t self:fifo_file rw_fifo_file_perms;
> +allow bacula_t self:tcp_socket create_stream_socket_perms;
> +allow bacula_t self:udp_socket create_socket_perms;
> +allow bacula_t self:netlink_route_socket create_netlink_socket_perms;
> +
> +read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
> +
> +manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
> +manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
> +manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t)
> +
> +manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t)
> +files_var_lib_filetrans(bacula_t, bacula_var_lib_t, file)
> +
> +allow bacula_t bacula_var_run_t:file { create_file_perms write_file_perms unlink};
> +files_pid_filetrans(bacula_t, bacula_var_run_t, file)
> +
> +kernel_read_kernel_sysctls(bacula_t)
> +kernel_read_system_state(bacula_t)
> +
> +corecmd_exec_bin(bacula_t)
> +corecmd_exec_shell(bacula_t)
> +
> +corenet_tcp_bind_generic_node(bacula_t)
> +corenet_udp_bind_generic_node(bacula_t)
> +corenet_tcp_bind_generic_port(bacula_t)
> +corenet_udp_bind_generic_port(bacula_t)
> +corenet_tcp_bind_hplip_port(bacula_t)
> +corenet_udp_bind_hplip_port(bacula_t)
> +corenet_tcp_connect_all_ports(bacula_t)
> +corenet_tcp_connect_smtp_port(bacula_t)
> +# Bacula's default port are listed already under hplip
> +
> +dev_getattr_all_blk_files(bacula_t)
> +dev_getattr_all_chr_files(bacula_t)
> +
> +files_dontaudit_getattr_all_sockets(bacula_t)
> +files_read_all_files(bacula_t)
> +files_read_all_symlinks(bacula_t)
> +
> +fs_getattr_xattr_fs(bacula_t)
> +fs_list_all(bacula_t)
> +
> +auth_read_shadow(bacula_t)
> +
> +logging_send_syslog_msg(bacula_t)
> +
> +optional_policy(`
> +	mysql_stream_connect(bacula_t)
> +	mysql_tcp_connect(bacula_t)
> +')
> +	
> +optional_policy(`
> +	nis_use_ypbind(bacula_t)
> +')
> +
> +optional_policy(`
> +	sysnet_use_ldap(bacula_t)
> +	ldap_stream_connect(bacula_t)
> +')
> +
> +
> +########################################
> +#
> +# Local policy - bacula admin client
> +#
> +allow bacula_admin_t self:process signal;
> +allow bacula_admin_t self:tcp_socket create_stream_socket_perms;
> +allow bacula_admin_t self:dgram_socket_class_set create_socket_perms;
> +
> +read_files_pattern(bacula_admin_t, bacula_etc_t, bacula_etc_t)
> +
> +corenet_tcp_connect_hplip_port(bacula_admin_t)
> +corenet_udp_sendrecv_hplip_port(bacula_admin_t)
> +
> +domain_use_interactive_fds(bacula_admin_t)
> +
> +files_read_etc_files(bacula_admin_t)
> +
> +miscfiles_read_localization(bacula_admin_t)
> +
> +sysnet_dns_name_resolve(bacula_admin_t)
> +
> +userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
> +userdom_use_user_ptys(bacula_admin_t)
> +
> +


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2012-03-30 13:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-01 20:17 [refpolicy] [PATCH 0/2] Adding Bacula policy Sven Vermeulen
2012-03-01 20:18 ` [refpolicy] [PATCH 1/2] Policy for Bacula Sven Vermeulen
2012-03-30 13:44   ` Christopher J. PeBenito
2012-03-01 20:18 ` [refpolicy] [PATCH 2/2] Allow sysadm to call bacula client Sven Vermeulen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.