From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [RFC/PATCH 1/1] Policy for Bacula
Date: Wed, 4 Jan 2012 07:16:45 -0500 [thread overview]
Message-ID: <4F04432D.9080201@tresys.com> (raw)
In-Reply-To: <20111228190527.GA17501@siphos.be>
On 12/28/11 14:05, Sven Vermeulen wrote:
> This adds a new SELinux module "bacula" for the bacula backup application. Directly mapping bacula on the existing backup
> module was not feasible (partially because it uses both a general domain and an administrative client domain).
>
> Policy provided by Stan Sander through https://bugs.gentoo.org/show_bug.cgi?id=396241
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> bacula.fc | 20 ++++++++++
> bacula.if | 45 +++++++++++++++++++++++
> bacula.te | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 182 insertions(+), 0 deletions(-)
> create mode 100644 bacula.fc
> create mode 100644 bacula.if
> create mode 100644 bacula.te
>
> diff --git a/bacula.fc b/bacula.fc
> new file mode 100644
> index 0000000..b44c547
> --- /dev/null
> +++ b/bacula.fc
> @@ -0,0 +1,20 @@
> +#
> +# /usr
> +#
> +/usr/sbin/bacula-(.*)? -- gen_context(system_u:object_r:bacula_exec_t,s0)
> +/usr/sbin/bat gen_context(system_u:object_r:bacula_admin_exec_t,s0)
> +/usr/sbin/bconsole gen_context(system_u:object_r:bacula_admin_exec_t,s0)
> +
> +#
> +# /etc
> +#
> +/etc/bacula(/.*)? -- gen_context(system_u:object_r:bacula_conf_t,s0)
> +
> +#
> +# /var
> +#
> +/var/lib/bacula(/.*)? gen_context(system_u:object_r:bacula_var_lib_t,s0)
> +
> +# A separate disk for backups mounted at /bacula or beginning with
> +# /bacula also matches a restore directory like /bacula-restores
> +/bacula(.*)? gen_context(system_u:object_r:bacula_store_t,s0)
> diff --git a/bacula.if b/bacula.if
> new file mode 100644
> index 0000000..d7f695c
> --- /dev/null
> +++ b/bacula.if
> @@ -0,0 +1,45 @@
> +## <summary>bacula backup program</summary>
> +
> +########################################
> +## <summary>
> +## Execute user interfaces in the bacula_admin domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`bacula_admin_domtrans',`
Should be bacula_domtrans_admin.
> + gen_require(`
> + type bacula_admin_t, bacula_admin_exec_t;
> + ')
> +
> + domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute user interfaces in the bacula_admin domain, and
> +## allow the specified role to transition to the bacula_admin domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`bacula_admin_run',`
Should be bacula_run_admin.
> + gen_require(`
> + type bacula_admin_t;
> + ')
> +
> + bacula_admin_domtrans($1)
> + role $2 types bacula_admin_t;
> +')
> diff --git a/bacula.te b/bacula.te
> new file mode 100644
> index 0000000..77e6ff1
> --- /dev/null
> +++ b/bacula.te
> @@ -0,0 +1,117 @@
> +policy_module(bacula, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type bacula_t;
> +type bacula_exec_t;
> +init_daemon_domain(bacula_t, bacula_exec_t)
> +
> +type bacula_store_t;
> +files_type(bacula_store_t)
> +files_mountpoint(bacula_store_t)
> +
> +type bacula_var_lib_t;
> +files_type(bacula_var_lib_t)
> +
> +type bacula_var_run_t;
> +files_pid_file(bacula_var_run_t)
> +
> +type bacula_admin_t;
> +type bacula_admin_exec_t;
> +application_domain(bacula_admin_t, bacula_admin_exec_t)
> +
> +########################################
> +#
> +# Local policy - bacula daemon
> +#
> +
> +allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
> +allow bacula_t self:process signal;
> +allow bacula_t self:fifo_file rw_fifo_file_perms;
> +allow bacula_t self:tcp_socket create_stream_socket_perms;
> +allow bacula_t self:udp_socket create_socket_perms;
> +allow bacula_t self:netlink_route_socket create_netlink_socket_perms;
> +
> +allow bacula_t bacula_store_t:file setattr;
Looks like a redundant rule, though the below bacula_store_rules should be here.
> +allow bacula_t bacula_var_run_t:file { create_file_perms write_file_perms unlink};
> +
> +files_pid_filetrans(bacula_t, bacula_var_run_t, file)
> +files_var_lib_filetrans(bacula_t, bacula_var_lib_t, file)
> +
> +manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
> +manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
> +manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t)
> +manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t)
> +
> +kernel_read_kernel_sysctls(bacula_t)
> +kernel_read_system_state(bacula_t)
> +
> +corecmd_exec_bin(bacula_t)
> +corecmd_exec_shell(bacula_t)
> +
> +corenet_tcp_bind_generic_node(bacula_t)
> +corenet_udp_bind_generic_node(bacula_t)
> +corenet_tcp_bind_generic_port(bacula_t)
> +corenet_udp_bind_generic_port(bacula_t)
> +corenet_tcp_bind_hplip_port(bacula_t)
> +corenet_udp_bind_hplip_port(bacula_t)
> +corenet_tcp_connect_all_ports(bacula_t)
> +corenet_tcp_connect_smtp_port(bacula_t)
> +# Bacula's default port are listed already under hplip
> +
> +dev_getattr_all_blk_files(bacula_t)
> +dev_getattr_all_chr_files(bacula_t)
> +
> +files_dontaudit_getattr_all_sockets(bacula_t)
> +files_read_all_files(bacula_t)
> +files_read_all_symlinks(bacula_t)
> +
> +fs_getattr_xattr_fs(bacula_t)
> +fs_list_all(bacula_t)
> +
> +auth_read_shadow(bacula_t)
> +
> +logging_send_syslog_msg(bacula_t)
> +
> +optional_policy(`
> + mysql_stream_connect(bacula_t)
> + mysql_tcp_connect(bacula_t)
> +')
> +
> +optional_policy(`
> + nis_use_ypbind(bacula_t)
> +')
> +
> +optional_policy(`
> + sysnet_use_ldap(bacula_t)
> + ldap_stream_connect(bacula_t)
> +')
> +
> +
> +########################################
> +#
> +# Local policy - bacula admin client
> +#
> +allow bacula_admin_t self:process signal;
> +allow bacula_admin_t self:tcp_socket create_stream_socket_perms;
> +allow bacula_admin_t self:dgram_socket_class_set create_socket_perms;
> +
> +corenet_tcp_connect_hplip_port(bacula_admin_t)
> +corenet_udp_sendrecv_hplip_port(bacula_admin_t)
> +
> +domain_use_interactive_fds(bacula_admin_t)
> +
> +files_read_etc_files(bacula_admin_t)
> +
> +miscfiles_read_localization(bacula_admin_t)
> +
> +sysnet_dns_name_resolve(bacula_admin_t)
> +
> +userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
> +userdom_use_user_ptys(bacula_admin_t)
Otherwise it seems ok.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2012-01-04 12:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-28 19:05 [refpolicy] [RFC/PATCH 1/1] Policy for Bacula Sven Vermeulen
2011-12-28 19:55 ` Sven Vermeulen
2012-01-04 12:16 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F04432D.9080201@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.