Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 734bd71... e3e0701... M policy/modules/admin/amanda.fc
:100644 100644 d1d035e... 8498e97... M policy/modules/admin/amanda.if
:100644 100644 8b6bef6... 123ab37... M policy/modules/admin/amanda.te
policy/modules/admin/amanda.fc | 4 +---
policy/modules/admin/amanda.if | 28 ++++++++++++++++------------
policy/modules/admin/amanda.te | 21 ++-------------------
3 files changed, 19 insertions(+), 34 deletions(-)
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index 734bd71..e3e0701 100644
--- a/policy/modules/admin/amanda.fc
+++ b/policy/modules/admin/amanda.fc
@@ -1,4 +1,3 @@
-
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
@@ -8,13 +7,12 @@
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
-/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0)
-
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
index d1d035e..8498e97 100644
--- a/policy/modules/admin/amanda.if
+++ b/policy/modules/admin/amanda.if
@@ -1,8 +1,9 @@
-## <summary>Automated backup program.</summary>
+## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
########################################
## <summary>
-## Execute amrecover in the amanda_recover domain.
+## Execute a domain transition to run
+## Amanda recover.
## </summary>
## <param name="domain">
## <summary>
@@ -15,13 +16,15 @@ interface(`amanda_domtrans_recover',`
type amanda_recover_t, amanda_recover_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
')
########################################
## <summary>
-## Execute amrecover in the amanda_recover domain, and
-## allow the specified role the amanda_recover domain.
+## Execute a domain transition to run
+## Amanda recover, and allow the specified
+## role the Amanda recover domain.
## </summary>
## <param name="domain">
## <summary>
@@ -46,7 +49,7 @@ interface(`amanda_run_recover',`
########################################
## <summary>
-## Search amanda library directories.
+## Search Amanda library directories.
## </summary>
## <param name="domain">
## <summary>
@@ -59,8 +62,8 @@ interface(`amanda_search_lib',`
type amanda_usr_lib_t;
')
- allow $1 amanda_usr_lib_t:dir search_dir_perms;
files_search_usr($1)
+ allow $1 amanda_usr_lib_t:dir search_dir_perms;
')
########################################
@@ -83,7 +86,7 @@ interface(`amanda_dontaudit_read_dumpdates',`
########################################
## <summary>
-## Allow read/writing /etc/dumpdates.
+## Read and write /etc/dumpdates.
## </summary>
## <param name="domain">
## <summary>
@@ -96,12 +99,13 @@ interface(`amanda_rw_dumpdates_files',`
type amanda_dumpdates_t;
')
+ files_search_etc($1)
allow $1 amanda_dumpdates_t:file rw_file_perms;
')
########################################
## <summary>
-## Search amanda library directories.
+## Search Amanda library directories.
## </summary>
## <param name="domain">
## <summary>
@@ -114,13 +118,13 @@ interface(`amanda_manage_lib',`
type amanda_usr_lib_t;
')
- allow $1 amanda_usr_lib_t:dir manage_dir_perms;
files_search_usr($1)
+ allow $1 amanda_usr_lib_t:dir manage_dir_perms;
')
########################################
## <summary>
-## Allow read/writing amanda logs
+## Read and append amanda logs.
## </summary>
## <param name="domain">
## <summary>
@@ -133,12 +137,13 @@ interface(`amanda_append_log_files',`
type amanda_log_t;
')
+ logging_search_logs($1)
allow $1 amanda_log_t:file { read_file_perms append_file_perms };
')
#######################################
## <summary>
-## Search amanda var library directories.
+## Search Amanda var library directories.
## </summary>
## <param name="domain">
## <summary>
@@ -153,5 +158,4 @@ interface(`amanda_search_var_lib',`
files_search_var_lib($1)
allow $1 amanda_var_lib_t:dir search_dir_perms;
-
')
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 8b6bef6..123ab37 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -16,44 +16,35 @@ domain_entry_file(amanda_t, amanda_exec_t)
type amanda_log_t;
logging_log_file(amanda_log_t)
-# type for amanda configurations files
type amanda_config_t;
files_type(amanda_config_t)
-# type for files in /usr/lib/amanda
type amanda_usr_lib_t;
files_type(amanda_usr_lib_t)
-# type for all files in /var/lib/amanda
type amanda_var_lib_t;
files_type(amanda_var_lib_t)
-# type for all files in /var/lib/amanda/gnutar-lists/
type amanda_gnutarlists_t;
files_type(amanda_gnutarlists_t)
type amanda_tmp_t;
files_tmp_file(amanda_tmp_t)
-# type for /etc/amandates
type amanda_amandates_t;
files_type(amanda_amandates_t)
-# type for /etc/dumpdates
type amanda_dumpdates_t;
files_type(amanda_dumpdates_t)
-# type for amanda data
type amanda_data_t;
files_type(amanda_data_t)
-# type for amrecover
type amanda_recover_t;
type amanda_recover_exec_t;
application_domain(amanda_recover_t, amanda_recover_exec_t)
role system_r types amanda_recover_t;
-# type for recover files ( restored data )
type amanda_recover_dir_t;
files_type(amanda_recover_dir_t)
@@ -74,24 +65,19 @@ allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
allow amanda_t self:udp_socket create_socket_perms;
-# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file rw_file_perms;
-# configuration files -> read only
allow amanda_t amanda_config_t:file read_file_perms;
-# access to amandas data structure
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
-# access to amanda_dumpdates_t
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
can_exec(amanda_t, amanda_exec_t)
can_exec(amanda_t, amanda_inetd_exec_t)
-# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
@@ -151,19 +137,17 @@ storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
storage_write_tape(amanda_t)
-# Added for targeted policy
term_use_unallocated_ttys(amanda_t)
auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t)
-optional_policy(`
- logging_send_syslog_msg(amanda_t)
-')
+logging_send_syslog_msg(amanda_t)
########################################
#
# Amanda recover local policy
+#
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
allow amanda_recover_t self:process { sigkill sigstop signal };
@@ -175,7 +159,6 @@ allow amanda_recover_t self:udp_socket create_socket_perms;
manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
-# access to amanda_recover_dir_t
manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/69281b5a/attachment.bin
On 09/03/10 11:46, Dominick Grift wrote:
> Signed-off-by: Dominick Grift<[email protected]>
Merged.
> ---
> :100644 100644 734bd71... e3e0701... M policy/modules/admin/amanda.fc
> :100644 100644 d1d035e... 8498e97... M policy/modules/admin/amanda.if
> :100644 100644 8b6bef6... 123ab37... M policy/modules/admin/amanda.te
> policy/modules/admin/amanda.fc | 4 +---
> policy/modules/admin/amanda.if | 28 ++++++++++++++++------------
> policy/modules/admin/amanda.te | 21 ++-------------------
> 3 files changed, 19 insertions(+), 34 deletions(-)
>
> diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
> index 734bd71..e3e0701 100644
> --- a/policy/modules/admin/amanda.fc
> +++ b/policy/modules/admin/amanda.fc
> @@ -1,4 +1,3 @@
> -
> /etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
> /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
> /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
> @@ -8,13 +7,12 @@
>
> /root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
>
> -/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0)
> -
> /usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
> /usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
> /usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
> /usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
> /usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
> +
> /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
>
> /var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
> diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
> index d1d035e..8498e97 100644
> --- a/policy/modules/admin/amanda.if
> +++ b/policy/modules/admin/amanda.if
> @@ -1,8 +1,9 @@
> -##<summary>Automated backup program.</summary>
> +##<summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
>
> ########################################
> ##<summary>
> -## Execute amrecover in the amanda_recover domain.
> +## Execute a domain transition to run
> +## Amanda recover.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> @@ -15,13 +16,15 @@ interface(`amanda_domtrans_recover',`
> type amanda_recover_t, amanda_recover_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
> ')
>
> ########################################
> ##<summary>
> -## Execute amrecover in the amanda_recover domain, and
> -## allow the specified role the amanda_recover domain.
> +## Execute a domain transition to run
> +## Amanda recover, and allow the specified
> +## role the Amanda recover domain.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> @@ -46,7 +49,7 @@ interface(`amanda_run_recover',`
>
> ########################################
> ##<summary>
> -## Search amanda library directories.
> +## Search Amanda library directories.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> @@ -59,8 +62,8 @@ interface(`amanda_search_lib',`
> type amanda_usr_lib_t;
> ')
>
> - allow $1 amanda_usr_lib_t:dir search_dir_perms;
> files_search_usr($1)
> + allow $1 amanda_usr_lib_t:dir search_dir_perms;
> ')
>
> ########################################
> @@ -83,7 +86,7 @@ interface(`amanda_dontaudit_read_dumpdates',`
>
> ########################################
> ##<summary>
> -## Allow read/writing /etc/dumpdates.
> +## Read and write /etc/dumpdates.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> @@ -96,12 +99,13 @@ interface(`amanda_rw_dumpdates_files',`
> type amanda_dumpdates_t;
> ')
>
> + files_search_etc($1)
> allow $1 amanda_dumpdates_t:file rw_file_perms;
> ')
>
> ########################################
> ##<summary>
> -## Search amanda library directories.
> +## Search Amanda library directories.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> @@ -114,13 +118,13 @@ interface(`amanda_manage_lib',`
> type amanda_usr_lib_t;
> ')
>
> - allow $1 amanda_usr_lib_t:dir manage_dir_perms;
> files_search_usr($1)
> + allow $1 amanda_usr_lib_t:dir manage_dir_perms;
> ')
>
> ########################################
> ##<summary>
> -## Allow read/writing amanda logs
> +## Read and append amanda logs.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> @@ -133,12 +137,13 @@ interface(`amanda_append_log_files',`
> type amanda_log_t;
> ')
>
> + logging_search_logs($1)
> allow $1 amanda_log_t:file { read_file_perms append_file_perms };
> ')
>
> #######################################
> ##<summary>
> -## Search amanda var library directories.
> +## Search Amanda var library directories.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> @@ -153,5 +158,4 @@ interface(`amanda_search_var_lib',`
>
> files_search_var_lib($1)
> allow $1 amanda_var_lib_t:dir search_dir_perms;
> -
> ')
> diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
> index 8b6bef6..123ab37 100644
> --- a/policy/modules/admin/amanda.te
> +++ b/policy/modules/admin/amanda.te
> @@ -16,44 +16,35 @@ domain_entry_file(amanda_t, amanda_exec_t)
> type amanda_log_t;
> logging_log_file(amanda_log_t)
>
> -# type for amanda configurations files
> type amanda_config_t;
> files_type(amanda_config_t)
>
> -# type for files in /usr/lib/amanda
> type amanda_usr_lib_t;
> files_type(amanda_usr_lib_t)
>
> -# type for all files in /var/lib/amanda
> type amanda_var_lib_t;
> files_type(amanda_var_lib_t)
>
> -# type for all files in /var/lib/amanda/gnutar-lists/
> type amanda_gnutarlists_t;
> files_type(amanda_gnutarlists_t)
>
> type amanda_tmp_t;
> files_tmp_file(amanda_tmp_t)
>
> -# type for /etc/amandates
> type amanda_amandates_t;
> files_type(amanda_amandates_t)
>
> -# type for /etc/dumpdates
> type amanda_dumpdates_t;
> files_type(amanda_dumpdates_t)
>
> -# type for amanda data
> type amanda_data_t;
> files_type(amanda_data_t)
>
> -# type for amrecover
> type amanda_recover_t;
> type amanda_recover_exec_t;
> application_domain(amanda_recover_t, amanda_recover_exec_t)
> role system_r types amanda_recover_t;
>
> -# type for recover files ( restored data )
> type amanda_recover_dir_t;
> files_type(amanda_recover_dir_t)
>
> @@ -74,24 +65,19 @@ allow amanda_t self:unix_dgram_socket create_socket_perms;
> allow amanda_t self:tcp_socket create_stream_socket_perms;
> allow amanda_t self:udp_socket create_socket_perms;
>
> -# access to amanda_amandates_t
> allow amanda_t amanda_amandates_t:file rw_file_perms;
>
> -# configuration files -> read only
> allow amanda_t amanda_config_t:file read_file_perms;
>
> -# access to amandas data structure
> manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
> manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
> filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
>
> -# access to amanda_dumpdates_t
> allow amanda_t amanda_dumpdates_t:file rw_file_perms;
>
> can_exec(amanda_t, amanda_exec_t)
> can_exec(amanda_t, amanda_inetd_exec_t)
>
> -# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
> allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
> allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
> allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
> @@ -151,19 +137,17 @@ storage_raw_read_fixed_disk(amanda_t)
> storage_read_tape(amanda_t)
> storage_write_tape(amanda_t)
>
> -# Added for targeted policy
> term_use_unallocated_ttys(amanda_t)
>
> auth_use_nsswitch(amanda_t)
> auth_read_shadow(amanda_t)
>
> -optional_policy(`
> - logging_send_syslog_msg(amanda_t)
> -')
> +logging_send_syslog_msg(amanda_t)
>
> ########################################
> #
> # Amanda recover local policy
> +#
>
> allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
> allow amanda_recover_t self:process { sigkill sigstop signal };
> @@ -175,7 +159,6 @@ allow amanda_recover_t self:udp_socket create_socket_perms;
> manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
> manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
>
> -# access to amanda_recover_dir_t
> manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
> manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
> manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com