[refpolicy] [RFC/PATCH 1/1] Policy for Bacula

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [RFC/PATCH 1/1] Policy for Bacula
@ 2011-12-28 19:05 Sven Vermeulen
  2011-12-28 19:55 ` Sven Vermeulen
  2012-01-04 12:16 ` Christopher J. PeBenito
  0 siblings, 2 replies; 3+ messages in thread
From: Sven Vermeulen @ 2011-12-28 19:05 UTC (permalink / raw)
  To: refpolicy

This adds a new SELinux module "bacula" for the bacula backup application. Directly mapping bacula on the existing backup
module was not feasible (partially because it uses both a general domain and an administrative client domain).

Policy provided by Stan Sander through https://bugs.gentoo.org/show_bug.cgi?id=396241

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 bacula.fc |   20 ++++++++++
 bacula.if |   45 +++++++++++++++++++++++
 bacula.te |  117 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 182 insertions(+), 0 deletions(-)
 create mode 100644 bacula.fc
 create mode 100644 bacula.if
 create mode 100644 bacula.te

diff --git a/bacula.fc b/bacula.fc
new file mode 100644
index 0000000..b44c547
--- /dev/null
+++ b/bacula.fc
@@ -0,0 +1,20 @@
+#
+# /usr
+#
+/usr/sbin/bacula-(.*)?	--	gen_context(system_u:object_r:bacula_exec_t,s0)
+/usr/sbin/bat			gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+/usr/sbin/bconsole		gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+
+#
+# /etc
+#
+/etc/bacula(/.*)?	--	gen_context(system_u:object_r:bacula_conf_t,s0)
+
+# 
+# /var
+#
+/var/lib/bacula(/.*)?		gen_context(system_u:object_r:bacula_var_lib_t,s0)
+
+# A separate disk for backups mounted at /bacula or beginning with
+# /bacula also matches a restore directory like /bacula-restores
+/bacula(.*)?			gen_context(system_u:object_r:bacula_store_t,s0)
diff --git a/bacula.if b/bacula.if
new file mode 100644
index 0000000..d7f695c
--- /dev/null
+++ b/bacula.if
@@ -0,0 +1,45 @@
+## <summary>bacula backup program</summary>
+
+########################################
+## <summary>
+##	Execute user interfaces in the bacula_admin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bacula_admin_domtrans',`
+	gen_require(`
+		type bacula_admin_t, bacula_admin_exec_t;
+	')
+
+	domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t)
+')
+
+########################################
+## <summary>
+##	Execute user interfaces in the bacula_admin domain, and
+##	allow the specified role to transition to the bacula_admin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bacula_admin_run',`
+	gen_require(`
+		type bacula_admin_t;
+	')
+
+	bacula_admin_domtrans($1)
+	role $2 types bacula_admin_t;
+')
diff --git a/bacula.te b/bacula.te
new file mode 100644
index 0000000..77e6ff1
--- /dev/null
+++ b/bacula.te
@@ -0,0 +1,117 @@
+policy_module(bacula, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bacula_t;
+type bacula_exec_t;
+init_daemon_domain(bacula_t, bacula_exec_t)
+
+type bacula_store_t;
+files_type(bacula_store_t)
+files_mountpoint(bacula_store_t)
+
+type bacula_var_lib_t;
+files_type(bacula_var_lib_t)
+
+type bacula_var_run_t;
+files_pid_file(bacula_var_run_t)
+
+type bacula_admin_t;
+type bacula_admin_exec_t;
+application_domain(bacula_admin_t, bacula_admin_exec_t)
+
+########################################
+#
+# Local policy - bacula daemon
+#
+
+allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
+allow bacula_t self:process signal;
+allow bacula_t self:fifo_file rw_fifo_file_perms;
+allow bacula_t self:tcp_socket create_stream_socket_perms;
+allow bacula_t self:udp_socket create_socket_perms;
+allow bacula_t self:netlink_route_socket create_netlink_socket_perms;
+
+allow bacula_t bacula_store_t:file setattr;
+
+allow bacula_t bacula_var_run_t:file { create_file_perms write_file_perms unlink};
+
+files_pid_filetrans(bacula_t, bacula_var_run_t, file)
+files_var_lib_filetrans(bacula_t, bacula_var_lib_t, file)
+
+manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
+manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
+manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t)
+manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t)
+
+kernel_read_kernel_sysctls(bacula_t)
+kernel_read_system_state(bacula_t)
+
+corecmd_exec_bin(bacula_t)
+corecmd_exec_shell(bacula_t)
+
+corenet_tcp_bind_generic_node(bacula_t)
+corenet_udp_bind_generic_node(bacula_t)
+corenet_tcp_bind_generic_port(bacula_t)
+corenet_udp_bind_generic_port(bacula_t)
+corenet_tcp_bind_hplip_port(bacula_t)
+corenet_udp_bind_hplip_port(bacula_t)
+corenet_tcp_connect_all_ports(bacula_t)
+corenet_tcp_connect_smtp_port(bacula_t)
+# Bacula's default port are listed already under hplip
+
+dev_getattr_all_blk_files(bacula_t)
+dev_getattr_all_chr_files(bacula_t)
+
+files_dontaudit_getattr_all_sockets(bacula_t)
+files_read_all_files(bacula_t)
+files_read_all_symlinks(bacula_t)
+
+fs_getattr_xattr_fs(bacula_t)
+fs_list_all(bacula_t)
+
+auth_read_shadow(bacula_t)
+
+logging_send_syslog_msg(bacula_t)
+
+optional_policy(`
+	mysql_stream_connect(bacula_t)
+	mysql_tcp_connect(bacula_t)
+')
+	
+optional_policy(`
+	nis_use_ypbind(bacula_t)
+')
+
+optional_policy(`
+	sysnet_use_ldap(bacula_t)
+	ldap_stream_connect(bacula_t)
+')
+
+
+########################################
+#
+# Local policy - bacula admin client
+#
+allow bacula_admin_t self:process signal;
+allow bacula_admin_t self:tcp_socket create_stream_socket_perms;
+allow bacula_admin_t self:dgram_socket_class_set create_socket_perms;
+
+corenet_tcp_connect_hplip_port(bacula_admin_t)
+corenet_udp_sendrecv_hplip_port(bacula_admin_t)
+
+domain_use_interactive_fds(bacula_admin_t)
+
+files_read_etc_files(bacula_admin_t)
+
+miscfiles_read_localization(bacula_admin_t)
+
+sysnet_dns_name_resolve(bacula_admin_t)
+
+userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
+userdom_use_user_ptys(bacula_admin_t)
+
+
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [refpolicy] [RFC/PATCH 1/1] Policy for Bacula
  2011-12-28 19:05 [refpolicy] [RFC/PATCH 1/1] Policy for Bacula Sven Vermeulen
@ 2011-12-28 19:55 ` Sven Vermeulen
  2012-01-04 12:16 ` Christopher J. PeBenito
  1 sibling, 0 replies; 3+ messages in thread
From: Sven Vermeulen @ 2011-12-28 19:55 UTC (permalink / raw)
  To: refpolicy

On Wed, Dec 28, 2011 at 08:05:27PM +0100, Sven Vermeulen wrote:
> +#
> +# /etc
> +#
> +/etc/bacula(/.*)?	--	gen_context(system_u:object_r:bacula_conf_t,s0)

This should be removed (I dropped the bacula_conf_t definition later)

Wkr,
	Sven Vermeulen

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [refpolicy] [RFC/PATCH 1/1] Policy for Bacula
  2011-12-28 19:05 [refpolicy] [RFC/PATCH 1/1] Policy for Bacula Sven Vermeulen
  2011-12-28 19:55 ` Sven Vermeulen
@ 2012-01-04 12:16 ` Christopher J. PeBenito
  1 sibling, 0 replies; 3+ messages in thread
From: Christopher J. PeBenito @ 2012-01-04 12:16 UTC (permalink / raw)
  To: refpolicy

On 12/28/11 14:05, Sven Vermeulen wrote:
> This adds a new SELinux module "bacula" for the bacula backup application. Directly mapping bacula on the existing backup
> module was not feasible (partially because it uses both a general domain and an administrative client domain).
> 
> Policy provided by Stan Sander through https://bugs.gentoo.org/show_bug.cgi?id=396241
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  bacula.fc |   20 ++++++++++
>  bacula.if |   45 +++++++++++++++++++++++
>  bacula.te |  117 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 182 insertions(+), 0 deletions(-)
>  create mode 100644 bacula.fc
>  create mode 100644 bacula.if
>  create mode 100644 bacula.te
> 
> diff --git a/bacula.fc b/bacula.fc
> new file mode 100644
> index 0000000..b44c547
> --- /dev/null
> +++ b/bacula.fc
> @@ -0,0 +1,20 @@
> +#
> +# /usr
> +#
> +/usr/sbin/bacula-(.*)?	--	gen_context(system_u:object_r:bacula_exec_t,s0)
> +/usr/sbin/bat			gen_context(system_u:object_r:bacula_admin_exec_t,s0)
> +/usr/sbin/bconsole		gen_context(system_u:object_r:bacula_admin_exec_t,s0)
> +
> +#
> +# /etc
> +#
> +/etc/bacula(/.*)?	--	gen_context(system_u:object_r:bacula_conf_t,s0)
> +
> +# 
> +# /var
> +#
> +/var/lib/bacula(/.*)?		gen_context(system_u:object_r:bacula_var_lib_t,s0)
> +
> +# A separate disk for backups mounted at /bacula or beginning with
> +# /bacula also matches a restore directory like /bacula-restores
> +/bacula(.*)?			gen_context(system_u:object_r:bacula_store_t,s0)
> diff --git a/bacula.if b/bacula.if
> new file mode 100644
> index 0000000..d7f695c
> --- /dev/null
> +++ b/bacula.if
> @@ -0,0 +1,45 @@
> +## <summary>bacula backup program</summary>
> +
> +########################################
> +## <summary>
> +##	Execute user interfaces in the bacula_admin domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`bacula_admin_domtrans',`

Should be bacula_domtrans_admin.

> +	gen_require(`
> +		type bacula_admin_t, bacula_admin_exec_t;
> +	')
> +
> +	domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute user interfaces in the bacula_admin domain, and
> +##	allow the specified role to transition to the bacula_admin domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`bacula_admin_run',`

Should be bacula_run_admin.

> +	gen_require(`
> +		type bacula_admin_t;
> +	')
> +
> +	bacula_admin_domtrans($1)
> +	role $2 types bacula_admin_t;
> +')
> diff --git a/bacula.te b/bacula.te
> new file mode 100644
> index 0000000..77e6ff1
> --- /dev/null
> +++ b/bacula.te
> @@ -0,0 +1,117 @@
> +policy_module(bacula, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type bacula_t;
> +type bacula_exec_t;
> +init_daemon_domain(bacula_t, bacula_exec_t)
> +
> +type bacula_store_t;
> +files_type(bacula_store_t)
> +files_mountpoint(bacula_store_t)
> +
> +type bacula_var_lib_t;
> +files_type(bacula_var_lib_t)
> +
> +type bacula_var_run_t;
> +files_pid_file(bacula_var_run_t)
> +
> +type bacula_admin_t;
> +type bacula_admin_exec_t;
> +application_domain(bacula_admin_t, bacula_admin_exec_t)
> +
> +########################################
> +#
> +# Local policy - bacula daemon
> +#
> +
> +allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
> +allow bacula_t self:process signal;
> +allow bacula_t self:fifo_file rw_fifo_file_perms;
> +allow bacula_t self:tcp_socket create_stream_socket_perms;
> +allow bacula_t self:udp_socket create_socket_perms;
> +allow bacula_t self:netlink_route_socket create_netlink_socket_perms;
> +
> +allow bacula_t bacula_store_t:file setattr;

Looks like a redundant rule, though the below bacula_store_rules should be here.

> +allow bacula_t bacula_var_run_t:file { create_file_perms write_file_perms unlink};
> +
> +files_pid_filetrans(bacula_t, bacula_var_run_t, file)
> +files_var_lib_filetrans(bacula_t, bacula_var_lib_t, file)
> +
> +manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
> +manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
> +manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t)
> +manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t)
> +
> +kernel_read_kernel_sysctls(bacula_t)
> +kernel_read_system_state(bacula_t)
> +
> +corecmd_exec_bin(bacula_t)
> +corecmd_exec_shell(bacula_t)
> +
> +corenet_tcp_bind_generic_node(bacula_t)
> +corenet_udp_bind_generic_node(bacula_t)
> +corenet_tcp_bind_generic_port(bacula_t)
> +corenet_udp_bind_generic_port(bacula_t)
> +corenet_tcp_bind_hplip_port(bacula_t)
> +corenet_udp_bind_hplip_port(bacula_t)
> +corenet_tcp_connect_all_ports(bacula_t)
> +corenet_tcp_connect_smtp_port(bacula_t)
> +# Bacula's default port are listed already under hplip
> +
> +dev_getattr_all_blk_files(bacula_t)
> +dev_getattr_all_chr_files(bacula_t)
> +
> +files_dontaudit_getattr_all_sockets(bacula_t)
> +files_read_all_files(bacula_t)
> +files_read_all_symlinks(bacula_t)
> +
> +fs_getattr_xattr_fs(bacula_t)
> +fs_list_all(bacula_t)
> +
> +auth_read_shadow(bacula_t)
> +
> +logging_send_syslog_msg(bacula_t)
> +
> +optional_policy(`
> +	mysql_stream_connect(bacula_t)
> +	mysql_tcp_connect(bacula_t)
> +')
> +	
> +optional_policy(`
> +	nis_use_ypbind(bacula_t)
> +')
> +
> +optional_policy(`
> +	sysnet_use_ldap(bacula_t)
> +	ldap_stream_connect(bacula_t)
> +')
> +
> +
> +########################################
> +#
> +# Local policy - bacula admin client
> +#
> +allow bacula_admin_t self:process signal;
> +allow bacula_admin_t self:tcp_socket create_stream_socket_perms;
> +allow bacula_admin_t self:dgram_socket_class_set create_socket_perms;
> +
> +corenet_tcp_connect_hplip_port(bacula_admin_t)
> +corenet_udp_sendrecv_hplip_port(bacula_admin_t)
> +
> +domain_use_interactive_fds(bacula_admin_t)
> +
> +files_read_etc_files(bacula_admin_t)
> +
> +miscfiles_read_localization(bacula_admin_t)
> +
> +sysnet_dns_name_resolve(bacula_admin_t)
> +
> +userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
> +userdom_use_user_ptys(bacula_admin_t)

Otherwise it seems ok.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2012-01-04 12:16 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-28 19:05 [refpolicy] [RFC/PATCH 1/1] Policy for Bacula Sven Vermeulen
2011-12-28 19:55 ` Sven Vermeulen
2012-01-04 12:16 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.