* [refpolicy] [PATCH 0/2] Adding Bacula policy @ 2012-03-01 20:17 Sven Vermeulen 2012-03-01 20:18 ` [refpolicy] [PATCH 1/2] Policy for Bacula Sven Vermeulen 2012-03-01 20:18 ` [refpolicy] [PATCH 2/2] Allow sysadm to call bacula client Sven Vermeulen 0 siblings, 2 replies; 4+ messages in thread From: Sven Vermeulen @ 2012-03-01 20:17 UTC (permalink / raw) To: refpolicy The following two patches add the Bacula SELinux policy to the reference policy. It is split in two: - adding the bacula domain - allowing the sysadm role to call the bacula admin client Wkr, Sven Vermeulen ^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 1/2] Policy for Bacula 2012-03-01 20:17 [refpolicy] [PATCH 0/2] Adding Bacula policy Sven Vermeulen @ 2012-03-01 20:18 ` Sven Vermeulen 2012-03-30 13:44 ` Christopher J. PeBenito 2012-03-01 20:18 ` [refpolicy] [PATCH 2/2] Allow sysadm to call bacula client Sven Vermeulen 1 sibling, 1 reply; 4+ messages in thread From: Sven Vermeulen @ 2012-03-01 20:18 UTC (permalink / raw) To: refpolicy This adds a new SELinux module "bacula" for the bacula backup application. Directly mapping bacula on the existing backup module was not feasible (partially because it uses both a general domain and an administrative client domain). Policy provided by Stan Sander through https://bugs.gentoo.org/show_bug.cgi?id=396241. Policy updated with comments from Christopher J. PeBenito. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- bacula.fc | 20 ++++++++++ bacula.if | 45 ++++++++++++++++++++++ bacula.te | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 187 insertions(+), 0 deletions(-) create mode 100644 bacula.fc create mode 100644 bacula.if create mode 100644 bacula.te diff --git a/bacula.fc b/bacula.fc new file mode 100644 index 0000000..b70b6d2 --- /dev/null +++ b/bacula.fc @@ -0,0 +1,20 @@ +# +# /usr +# +/usr/sbin/bacula-(.*)? -- gen_context(system_u:object_r:bacula_exec_t,s0) +/usr/sbin/bat gen_context(system_u:object_r:bacula_admin_exec_t,s0) +/usr/sbin/bconsole gen_context(system_u:object_r:bacula_admin_exec_t,s0) + +# +# /etc +# +/etc/bacula(/.*)? gen_context(system_u:object_r:bacula_etc_t,s0) + +# +# /var +# +/var/lib/bacula(/.*)? gen_context(system_u:object_r:bacula_var_lib_t,s0) + +# A separate disk for backups mounted at /bacula or beginning with +# /bacula also matches a restore directory like /bacula-restores +/bacula(.*)? gen_context(system_u:object_r:bacula_store_t,s0) diff --git a/bacula.if b/bacula.if new file mode 100644 index 0000000..6b1722e --- /dev/null +++ b/bacula.if @@ -0,0 +1,45 @@ +## <summary>bacula backup program</summary> + +######################################## +## <summary> +## Execute user interfaces in the bacula_admin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bacula_domtrans_admin',` + gen_require(` + type bacula_admin_t, bacula_admin_exec_t; + ') + + domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t) +') + +######################################## +## <summary> +## Execute user interfaces in the bacula_admin domain, and +## allow the specified role to transition to the bacula_admin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bacula_run_admin',` + gen_require(` + type bacula_admin_t; + ') + + bacula_domtrans_admin($1) + role $2 types bacula_admin_t; +') diff --git a/bacula.te b/bacula.te new file mode 100644 index 0000000..f2ad364 --- /dev/null +++ b/bacula.te @@ -0,0 +1,122 @@ +policy_module(bacula, 1.0.0) + +######################################## +# +# Declarations +# + +type bacula_t; +type bacula_exec_t; +init_daemon_domain(bacula_t, bacula_exec_t) + +type bacula_etc_t; +files_type(bacula_etc_t) + +type bacula_store_t; +files_type(bacula_store_t) +files_mountpoint(bacula_store_t) + +type bacula_var_lib_t; +files_type(bacula_var_lib_t) + +type bacula_var_run_t; +files_pid_file(bacula_var_run_t) + +type bacula_admin_t; +type bacula_admin_exec_t; +application_domain(bacula_admin_t, bacula_admin_exec_t) + +######################################## +# +# Local policy - bacula daemon +# + +allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid}; +allow bacula_t self:process signal; +allow bacula_t self:fifo_file rw_fifo_file_perms; +allow bacula_t self:tcp_socket create_stream_socket_perms; +allow bacula_t self:udp_socket create_socket_perms; +allow bacula_t self:netlink_route_socket create_netlink_socket_perms; + +read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t) + +manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t) +manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t) +manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t) + +manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t) +files_var_lib_filetrans(bacula_t, bacula_var_lib_t, file) + +allow bacula_t bacula_var_run_t:file { create_file_perms write_file_perms unlink}; +files_pid_filetrans(bacula_t, bacula_var_run_t, file) + +kernel_read_kernel_sysctls(bacula_t) +kernel_read_system_state(bacula_t) + +corecmd_exec_bin(bacula_t) +corecmd_exec_shell(bacula_t) + +corenet_tcp_bind_generic_node(bacula_t) +corenet_udp_bind_generic_node(bacula_t) +corenet_tcp_bind_generic_port(bacula_t) +corenet_udp_bind_generic_port(bacula_t) +corenet_tcp_bind_hplip_port(bacula_t) +corenet_udp_bind_hplip_port(bacula_t) +corenet_tcp_connect_all_ports(bacula_t) +corenet_tcp_connect_smtp_port(bacula_t) +# Bacula's default port are listed already under hplip + +dev_getattr_all_blk_files(bacula_t) +dev_getattr_all_chr_files(bacula_t) + +files_dontaudit_getattr_all_sockets(bacula_t) +files_read_all_files(bacula_t) +files_read_all_symlinks(bacula_t) + +fs_getattr_xattr_fs(bacula_t) +fs_list_all(bacula_t) + +auth_read_shadow(bacula_t) + +logging_send_syslog_msg(bacula_t) + +optional_policy(` + mysql_stream_connect(bacula_t) + mysql_tcp_connect(bacula_t) +') + +optional_policy(` + nis_use_ypbind(bacula_t) +') + +optional_policy(` + sysnet_use_ldap(bacula_t) + ldap_stream_connect(bacula_t) +') + + +######################################## +# +# Local policy - bacula admin client +# +allow bacula_admin_t self:process signal; +allow bacula_admin_t self:tcp_socket create_stream_socket_perms; +allow bacula_admin_t self:dgram_socket_class_set create_socket_perms; + +read_files_pattern(bacula_admin_t, bacula_etc_t, bacula_etc_t) + +corenet_tcp_connect_hplip_port(bacula_admin_t) +corenet_udp_sendrecv_hplip_port(bacula_admin_t) + +domain_use_interactive_fds(bacula_admin_t) + +files_read_etc_files(bacula_admin_t) + +miscfiles_read_localization(bacula_admin_t) + +sysnet_dns_name_resolve(bacula_admin_t) + +userdom_dontaudit_search_user_home_dirs(bacula_admin_t) +userdom_use_user_ptys(bacula_admin_t) + + -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 1/2] Policy for Bacula 2012-03-01 20:18 ` [refpolicy] [PATCH 1/2] Policy for Bacula Sven Vermeulen @ 2012-03-30 13:44 ` Christopher J. PeBenito 0 siblings, 0 replies; 4+ messages in thread From: Christopher J. PeBenito @ 2012-03-30 13:44 UTC (permalink / raw) To: refpolicy On 03/01/12 15:18, Sven Vermeulen wrote: > > This adds a new SELinux module "bacula" for the bacula backup application. Directly mapping bacula on the existing > backup module was not feasible (partially because it uses both a general domain and an administrative client domain). > > Policy provided by Stan Sander through https://bugs.gentoo.org/show_bug.cgi?id=396241. > Policy updated with comments from Christopher J. PeBenito. Merged. > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> > --- > bacula.fc | 20 ++++++++++ > bacula.if | 45 ++++++++++++++++++++++ > bacula.te | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 187 insertions(+), 0 deletions(-) > create mode 100644 bacula.fc > create mode 100644 bacula.if > create mode 100644 bacula.te > > diff --git a/bacula.fc b/bacula.fc > new file mode 100644 > index 0000000..b70b6d2 > --- /dev/null > +++ b/bacula.fc > @@ -0,0 +1,20 @@ > +# > +# /usr > +# > +/usr/sbin/bacula-(.*)? -- gen_context(system_u:object_r:bacula_exec_t,s0) > +/usr/sbin/bat gen_context(system_u:object_r:bacula_admin_exec_t,s0) > +/usr/sbin/bconsole gen_context(system_u:object_r:bacula_admin_exec_t,s0) > + > +# > +# /etc > +# > +/etc/bacula(/.*)? gen_context(system_u:object_r:bacula_etc_t,s0) > + > +# > +# /var > +# > +/var/lib/bacula(/.*)? gen_context(system_u:object_r:bacula_var_lib_t,s0) > + > +# A separate disk for backups mounted at /bacula or beginning with > +# /bacula also matches a restore directory like /bacula-restores > +/bacula(.*)? gen_context(system_u:object_r:bacula_store_t,s0) > diff --git a/bacula.if b/bacula.if > new file mode 100644 > index 0000000..6b1722e > --- /dev/null > +++ b/bacula.if > @@ -0,0 +1,45 @@ > +## <summary>bacula backup program</summary> > + > +######################################## > +## <summary> > +## Execute user interfaces in the bacula_admin domain. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed to transition. > +## </summary> > +## </param> > +# > +interface(`bacula_domtrans_admin',` > + gen_require(` > + type bacula_admin_t, bacula_admin_exec_t; > + ') > + > + domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t) > +') > + > +######################################## > +## <summary> > +## Execute user interfaces in the bacula_admin domain, and > +## allow the specified role to transition to the bacula_admin domain. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed to transition. > +## </summary> > +## </param> > +## <param name="role"> > +## <summary> > +## Role allowed access. > +## </summary> > +## </param> > +## <rolecap/> > +# > +interface(`bacula_run_admin',` > + gen_require(` > + type bacula_admin_t; > + ') > + > + bacula_domtrans_admin($1) > + role $2 types bacula_admin_t; > +') > diff --git a/bacula.te b/bacula.te > new file mode 100644 > index 0000000..f2ad364 > --- /dev/null > +++ b/bacula.te > @@ -0,0 +1,122 @@ > +policy_module(bacula, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type bacula_t; > +type bacula_exec_t; > +init_daemon_domain(bacula_t, bacula_exec_t) > + > +type bacula_etc_t; > +files_type(bacula_etc_t) > + > +type bacula_store_t; > +files_type(bacula_store_t) > +files_mountpoint(bacula_store_t) > + > +type bacula_var_lib_t; > +files_type(bacula_var_lib_t) > + > +type bacula_var_run_t; > +files_pid_file(bacula_var_run_t) > + > +type bacula_admin_t; > +type bacula_admin_exec_t; > +application_domain(bacula_admin_t, bacula_admin_exec_t) > + > +######################################## > +# > +# Local policy - bacula daemon > +# > + > +allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid}; > +allow bacula_t self:process signal; > +allow bacula_t self:fifo_file rw_fifo_file_perms; > +allow bacula_t self:tcp_socket create_stream_socket_perms; > +allow bacula_t self:udp_socket create_socket_perms; > +allow bacula_t self:netlink_route_socket create_netlink_socket_perms; > + > +read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t) > + > +manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t) > +manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t) > +manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t) > + > +manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t) > +files_var_lib_filetrans(bacula_t, bacula_var_lib_t, file) > + > +allow bacula_t bacula_var_run_t:file { create_file_perms write_file_perms unlink}; > +files_pid_filetrans(bacula_t, bacula_var_run_t, file) > + > +kernel_read_kernel_sysctls(bacula_t) > +kernel_read_system_state(bacula_t) > + > +corecmd_exec_bin(bacula_t) > +corecmd_exec_shell(bacula_t) > + > +corenet_tcp_bind_generic_node(bacula_t) > +corenet_udp_bind_generic_node(bacula_t) > +corenet_tcp_bind_generic_port(bacula_t) > +corenet_udp_bind_generic_port(bacula_t) > +corenet_tcp_bind_hplip_port(bacula_t) > +corenet_udp_bind_hplip_port(bacula_t) > +corenet_tcp_connect_all_ports(bacula_t) > +corenet_tcp_connect_smtp_port(bacula_t) > +# Bacula's default port are listed already under hplip > + > +dev_getattr_all_blk_files(bacula_t) > +dev_getattr_all_chr_files(bacula_t) > + > +files_dontaudit_getattr_all_sockets(bacula_t) > +files_read_all_files(bacula_t) > +files_read_all_symlinks(bacula_t) > + > +fs_getattr_xattr_fs(bacula_t) > +fs_list_all(bacula_t) > + > +auth_read_shadow(bacula_t) > + > +logging_send_syslog_msg(bacula_t) > + > +optional_policy(` > + mysql_stream_connect(bacula_t) > + mysql_tcp_connect(bacula_t) > +') > + > +optional_policy(` > + nis_use_ypbind(bacula_t) > +') > + > +optional_policy(` > + sysnet_use_ldap(bacula_t) > + ldap_stream_connect(bacula_t) > +') > + > + > +######################################## > +# > +# Local policy - bacula admin client > +# > +allow bacula_admin_t self:process signal; > +allow bacula_admin_t self:tcp_socket create_stream_socket_perms; > +allow bacula_admin_t self:dgram_socket_class_set create_socket_perms; > + > +read_files_pattern(bacula_admin_t, bacula_etc_t, bacula_etc_t) > + > +corenet_tcp_connect_hplip_port(bacula_admin_t) > +corenet_udp_sendrecv_hplip_port(bacula_admin_t) > + > +domain_use_interactive_fds(bacula_admin_t) > + > +files_read_etc_files(bacula_admin_t) > + > +miscfiles_read_localization(bacula_admin_t) > + > +sysnet_dns_name_resolve(bacula_admin_t) > + > +userdom_dontaudit_search_user_home_dirs(bacula_admin_t) > +userdom_use_user_ptys(bacula_admin_t) > + > + -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 2/2] Allow sysadm to call bacula client 2012-03-01 20:17 [refpolicy] [PATCH 0/2] Adding Bacula policy Sven Vermeulen 2012-03-01 20:18 ` [refpolicy] [PATCH 1/2] Policy for Bacula Sven Vermeulen @ 2012-03-01 20:18 ` Sven Vermeulen 1 sibling, 0 replies; 4+ messages in thread From: Sven Vermeulen @ 2012-03-01 20:18 UTC (permalink / raw) To: refpolicy This patch allows the sysadmin to run the bacula admin client. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- policy/modules/roles/sysadm.te | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 430c5e1..3f5690c 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -98,6 +98,10 @@ optional_policy(` ') optional_policy(` + bacula_run_admin(sysadm_t, sysadm_r) +') + +optional_policy(` bind_run_ndc(sysadm_t, sysadm_r) ') -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-03-30 13:44 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-03-01 20:17 [refpolicy] [PATCH 0/2] Adding Bacula policy Sven Vermeulen 2012-03-01 20:18 ` [refpolicy] [PATCH 1/2] Policy for Bacula Sven Vermeulen 2012-03-30 13:44 ` Christopher J. PeBenito 2012-03-01 20:18 ` [refpolicy] [PATCH 2/2] Allow sysadm to call bacula client Sven Vermeulen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.