From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 09 Sep 2010 08:13:34 -0400
Subject: [refpolicy] [Amanda 1/1] Clean up Amanda module.
In-Reply-To: <20100903154648.GA27648@localhost.localdomain>
References: <20100903154648.GA27648@localhost.localdomain>
Message-ID: <4C88CF6E.4030002@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/03/10 11:46, Dominick Grift wrote:
> Signed-off-by: Dominick Grift<domg472@gmail.com>

Merged.

> ---
> :100644 100644 734bd71... e3e0701... M	policy/modules/admin/amanda.fc
> :100644 100644 d1d035e... 8498e97... M	policy/modules/admin/amanda.if
> :100644 100644 8b6bef6... 123ab37... M	policy/modules/admin/amanda.te
>   policy/modules/admin/amanda.fc |    4 +---
>   policy/modules/admin/amanda.if |   28 ++++++++++++++++------------
>   policy/modules/admin/amanda.te |   21 ++-------------------
>   3 files changed, 19 insertions(+), 34 deletions(-)
>
> diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
> index 734bd71..e3e0701 100644
> --- a/policy/modules/admin/amanda.fc
> +++ b/policy/modules/admin/amanda.fc
> @@ -1,4 +1,3 @@
> -
>   /etc/amanda(/.*)?			gen_context(system_u:object_r:amanda_config_t,s0)
>   /etc/amanda/.*/tapelist(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
>   /etc/amandates				gen_context(system_u:object_r:amanda_amandates_t,s0)
> @@ -8,13 +7,12 @@
>
>   /root/restore			-d	gen_context(system_u:object_r:amanda_recover_dir_t,s0)
>
> -/tmp/amanda(/.*)?			gen_context(system_u:object_r:amanda_tmp_t,s0)
> -
>   /usr/lib(64)?/amanda		-d	gen_context(system_u:object_r:amanda_usr_lib_t,s0)
>   /usr/lib(64)?/amanda/.+		--	gen_context(system_u:object_r:amanda_exec_t,s0)
>   /usr/lib(64)?/amanda/amandad	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
>   /usr/lib(64)?/amanda/amidxtaped	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
>   /usr/lib(64)?/amanda/amindexd	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
> +
>   /usr/sbin/amrecover		--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
>
>   /var/lib/amanda			-d	gen_context(system_u:object_r:amanda_var_lib_t,s0)
> diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
> index d1d035e..8498e97 100644
> --- a/policy/modules/admin/amanda.if
> +++ b/policy/modules/admin/amanda.if
> @@ -1,8 +1,9 @@
> -##<summary>Automated backup program.</summary>
> +##<summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
>
>   ########################################
>   ##<summary>
> -##	Execute amrecover in the amanda_recover domain.
> +##	Execute a domain transition to run
> +##	Amanda recover.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
> @@ -15,13 +16,15 @@ interface(`amanda_domtrans_recover',`
>   		type amanda_recover_t, amanda_recover_exec_t;
>   	')
>
> +	corecmd_search_bin($1)
>   	domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
>   ')
>
>   ########################################
>   ##<summary>
> -##	Execute amrecover in the amanda_recover domain, and
> -##	allow the specified role the amanda_recover domain.
> +##	Execute a domain transition to run
> +##	Amanda recover, and allow the specified
> +##	role the Amanda recover domain.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
> @@ -46,7 +49,7 @@ interface(`amanda_run_recover',`
>
>   ########################################
>   ##<summary>
> -##	Search amanda library directories.
> +##	Search Amanda library directories.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
> @@ -59,8 +62,8 @@ interface(`amanda_search_lib',`
>   		type amanda_usr_lib_t;
>   	')
>
> -	allow $1 amanda_usr_lib_t:dir search_dir_perms;
>   	files_search_usr($1)
> +	allow $1 amanda_usr_lib_t:dir search_dir_perms;
>   ')
>
>   ########################################
> @@ -83,7 +86,7 @@ interface(`amanda_dontaudit_read_dumpdates',`
>
>   ########################################
>   ##<summary>
> -##	Allow read/writing /etc/dumpdates.
> +##	Read and write /etc/dumpdates.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
> @@ -96,12 +99,13 @@ interface(`amanda_rw_dumpdates_files',`
>   		type amanda_dumpdates_t;
>   	')
>
> +	files_search_etc($1)
>   	allow $1 amanda_dumpdates_t:file rw_file_perms;
>   ')
>
>   ########################################
>   ##<summary>
> -##	Search amanda library directories.
> +##	Search Amanda library directories.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
> @@ -114,13 +118,13 @@ interface(`amanda_manage_lib',`
>   		type amanda_usr_lib_t;
>   	')
>
> -	allow $1 amanda_usr_lib_t:dir manage_dir_perms;
>   	files_search_usr($1)
> +	allow $1 amanda_usr_lib_t:dir manage_dir_perms;
>   ')
>
>   ########################################
>   ##<summary>
> -##	Allow read/writing amanda logs
> +##	Read and append amanda logs.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
> @@ -133,12 +137,13 @@ interface(`amanda_append_log_files',`
>   		type amanda_log_t;
>   	')
>
> +	logging_search_logs($1)
>   	allow $1 amanda_log_t:file { read_file_perms append_file_perms };
>   ')
>
>   #######################################
>   ##<summary>
> -##	Search amanda var library directories.
> +##	Search Amanda var library directories.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
> @@ -153,5 +158,4 @@ interface(`amanda_search_var_lib',`
>
>   	files_search_var_lib($1)
>   	allow $1 amanda_var_lib_t:dir search_dir_perms;
> -
>   ')
> diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
> index 8b6bef6..123ab37 100644
> --- a/policy/modules/admin/amanda.te
> +++ b/policy/modules/admin/amanda.te
> @@ -16,44 +16,35 @@ domain_entry_file(amanda_t, amanda_exec_t)
>   type amanda_log_t;
>   logging_log_file(amanda_log_t)
>
> -# type for amanda configurations files
>   type amanda_config_t;
>   files_type(amanda_config_t)
>
> -# type for files in /usr/lib/amanda
>   type amanda_usr_lib_t;
>   files_type(amanda_usr_lib_t)
>
> -# type for all files in /var/lib/amanda
>   type amanda_var_lib_t;
>   files_type(amanda_var_lib_t)
>
> -# type for all files in /var/lib/amanda/gnutar-lists/
>   type amanda_gnutarlists_t;
>   files_type(amanda_gnutarlists_t)
>
>   type amanda_tmp_t;
>   files_tmp_file(amanda_tmp_t)
>
> -# type for /etc/amandates
>   type amanda_amandates_t;
>   files_type(amanda_amandates_t)
>
> -# type for /etc/dumpdates
>   type amanda_dumpdates_t;
>   files_type(amanda_dumpdates_t)
>
> -# type for amanda data
>   type amanda_data_t;
>   files_type(amanda_data_t)
>
> -# type for amrecover
>   type amanda_recover_t;
>   type amanda_recover_exec_t;
>   application_domain(amanda_recover_t, amanda_recover_exec_t)
>   role system_r types amanda_recover_t;
>
> -# type for recover files ( restored data )
>   type amanda_recover_dir_t;
>   files_type(amanda_recover_dir_t)
>
> @@ -74,24 +65,19 @@ allow amanda_t self:unix_dgram_socket create_socket_perms;
>   allow amanda_t self:tcp_socket create_stream_socket_perms;
>   allow amanda_t self:udp_socket create_socket_perms;
>
> -# access to amanda_amandates_t
>   allow amanda_t amanda_amandates_t:file rw_file_perms;
>
> -# configuration files ->  read only
>   allow amanda_t amanda_config_t:file read_file_perms;
>
> -# access to amandas data structure
>   manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
>   manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
>   filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
>
> -# access to amanda_dumpdates_t
>   allow amanda_t amanda_dumpdates_t:file rw_file_perms;
>
>   can_exec(amanda_t, amanda_exec_t)
>   can_exec(amanda_t, amanda_inetd_exec_t)
>
> -# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
>   allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
>   allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
>   allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
> @@ -151,19 +137,17 @@ storage_raw_read_fixed_disk(amanda_t)
>   storage_read_tape(amanda_t)
>   storage_write_tape(amanda_t)
>
> -# Added for targeted policy
>   term_use_unallocated_ttys(amanda_t)
>
>   auth_use_nsswitch(amanda_t)
>   auth_read_shadow(amanda_t)
>
> -optional_policy(`
> -	logging_send_syslog_msg(amanda_t)
> -')
> +logging_send_syslog_msg(amanda_t)
>
>   ########################################
>   #
>   # Amanda recover local policy
> +#
>
>   allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
>   allow amanda_recover_t self:process { sigkill sigstop signal };
> @@ -175,7 +159,6 @@ allow amanda_recover_t self:udp_socket create_socket_perms;
>   manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
>   manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
>
> -# access to amanda_recover_dir_t
>   manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
>   manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
>   manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com