From: domg472@gmail.com (Dominick Grift) Date: Fri, 3 Sep 2010 17:46:51 +0200 Subject: [refpolicy] [Amanda 1/1] Clean up Amanda module. Message-ID: <20100903154648.GA27648@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Dominick Grift --- :100644 100644 734bd71... e3e0701... M policy/modules/admin/amanda.fc :100644 100644 d1d035e... 8498e97... M policy/modules/admin/amanda.if :100644 100644 8b6bef6... 123ab37... M policy/modules/admin/amanda.te policy/modules/admin/amanda.fc | 4 +--- policy/modules/admin/amanda.if | 28 ++++++++++++++++------------ policy/modules/admin/amanda.te | 21 ++------------------- 3 files changed, 19 insertions(+), 34 deletions(-) diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc index 734bd71..e3e0701 100644 --- a/policy/modules/admin/amanda.fc +++ b/policy/modules/admin/amanda.fc @@ -1,4 +1,3 @@ - /etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0) /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) @@ -8,13 +7,12 @@ /root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0) -/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0) - /usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0) /usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0) /usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) /usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) /usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) /var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0) diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if index d1d035e..8498e97 100644 --- a/policy/modules/admin/amanda.if +++ b/policy/modules/admin/amanda.if @@ -1,8 +1,9 @@ -## Automated backup program. +## Advanced Maryland Automatic Network Disk Archiver. ######################################## ## -## Execute amrecover in the amanda_recover domain. +## Execute a domain transition to run +## Amanda recover. ## ## ## @@ -15,13 +16,15 @@ interface(`amanda_domtrans_recover',` type amanda_recover_t, amanda_recover_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) ') ######################################## ## -## Execute amrecover in the amanda_recover domain, and -## allow the specified role the amanda_recover domain. +## Execute a domain transition to run +## Amanda recover, and allow the specified +## role the Amanda recover domain. ## ## ## @@ -46,7 +49,7 @@ interface(`amanda_run_recover',` ######################################## ## -## Search amanda library directories. +## Search Amanda library directories. ## ## ## @@ -59,8 +62,8 @@ interface(`amanda_search_lib',` type amanda_usr_lib_t; ') - allow $1 amanda_usr_lib_t:dir search_dir_perms; files_search_usr($1) + allow $1 amanda_usr_lib_t:dir search_dir_perms; ') ######################################## @@ -83,7 +86,7 @@ interface(`amanda_dontaudit_read_dumpdates',` ######################################## ## -## Allow read/writing /etc/dumpdates. +## Read and write /etc/dumpdates. ## ## ## @@ -96,12 +99,13 @@ interface(`amanda_rw_dumpdates_files',` type amanda_dumpdates_t; ') + files_search_etc($1) allow $1 amanda_dumpdates_t:file rw_file_perms; ') ######################################## ## -## Search amanda library directories. +## Search Amanda library directories. ## ## ## @@ -114,13 +118,13 @@ interface(`amanda_manage_lib',` type amanda_usr_lib_t; ') - allow $1 amanda_usr_lib_t:dir manage_dir_perms; files_search_usr($1) + allow $1 amanda_usr_lib_t:dir manage_dir_perms; ') ######################################## ## -## Allow read/writing amanda logs +## Read and append amanda logs. ## ## ## @@ -133,12 +137,13 @@ interface(`amanda_append_log_files',` type amanda_log_t; ') + logging_search_logs($1) allow $1 amanda_log_t:file { read_file_perms append_file_perms }; ') ####################################### ## -## Search amanda var library directories. +## Search Amanda var library directories. ## ## ## @@ -153,5 +158,4 @@ interface(`amanda_search_var_lib',` files_search_var_lib($1) allow $1 amanda_var_lib_t:dir search_dir_perms; - ') diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index 8b6bef6..123ab37 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -16,44 +16,35 @@ domain_entry_file(amanda_t, amanda_exec_t) type amanda_log_t; logging_log_file(amanda_log_t) -# type for amanda configurations files type amanda_config_t; files_type(amanda_config_t) -# type for files in /usr/lib/amanda type amanda_usr_lib_t; files_type(amanda_usr_lib_t) -# type for all files in /var/lib/amanda type amanda_var_lib_t; files_type(amanda_var_lib_t) -# type for all files in /var/lib/amanda/gnutar-lists/ type amanda_gnutarlists_t; files_type(amanda_gnutarlists_t) type amanda_tmp_t; files_tmp_file(amanda_tmp_t) -# type for /etc/amandates type amanda_amandates_t; files_type(amanda_amandates_t) -# type for /etc/dumpdates type amanda_dumpdates_t; files_type(amanda_dumpdates_t) -# type for amanda data type amanda_data_t; files_type(amanda_data_t) -# type for amrecover type amanda_recover_t; type amanda_recover_exec_t; application_domain(amanda_recover_t, amanda_recover_exec_t) role system_r types amanda_recover_t; -# type for recover files ( restored data ) type amanda_recover_dir_t; files_type(amanda_recover_dir_t) @@ -74,24 +65,19 @@ allow amanda_t self:unix_dgram_socket create_socket_perms; allow amanda_t self:tcp_socket create_stream_socket_perms; allow amanda_t self:udp_socket create_socket_perms; -# access to amanda_amandates_t allow amanda_t amanda_amandates_t:file rw_file_perms; -# configuration files -> read only allow amanda_t amanda_config_t:file read_file_perms; -# access to amandas data structure manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) -# access to amanda_dumpdates_t allow amanda_t amanda_dumpdates_t:file rw_file_perms; can_exec(amanda_t, amanda_exec_t) can_exec(amanda_t, amanda_inetd_exec_t) -# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; allow amanda_t amanda_gnutarlists_t:file manage_file_perms; allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; @@ -151,19 +137,17 @@ storage_raw_read_fixed_disk(amanda_t) storage_read_tape(amanda_t) storage_write_tape(amanda_t) -# Added for targeted policy term_use_unallocated_ttys(amanda_t) auth_use_nsswitch(amanda_t) auth_read_shadow(amanda_t) -optional_policy(` - logging_send_syslog_msg(amanda_t) -') +logging_send_syslog_msg(amanda_t) ######################################## # # Amanda recover local policy +# allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override }; allow amanda_recover_t self:process { sigkill sigstop signal }; @@ -175,7 +159,6 @@ allow amanda_recover_t self:udp_socket create_socket_perms; manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) -# access to amanda_recover_dir_t manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -- 1.7.2.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/69281b5a/attachment.bin