From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 09 Sep 2010 08:29:36 -0400
Subject: [refpolicy] [Backup 1/1] Clean up the Back up modules.
In-Reply-To: <20100903155055.GA27727@localhost.localdomain>
References: <20100903155055.GA27727@localhost.localdomain>
Message-ID: <4C88D330.4070705@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/03/10 11:50, Dominick Grift wrote:
> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 223b7f2... d924d71... M	policy/modules/admin/backup.fc
> :100644 100644 1017b7a... 44ee47c... M	policy/modules/admin/backup.if
> :100644 100644 0bfc958... e656c20... M	policy/modules/admin/backup.te
>   policy/modules/admin/backup.fc |   13 +++----------
>   policy/modules/admin/backup.if |    8 +++++---
>   policy/modules/admin/backup.te |    1 -
>   3 files changed, 8 insertions(+), 14 deletions(-)
>
> diff --git a/policy/modules/admin/backup.fc b/policy/modules/admin/backup.fc
> index 223b7f2..d924d71 100644
> --- a/policy/modules/admin/backup.fc
> +++ b/policy/modules/admin/backup.fc
> @@ -1,13 +1,6 @@
> -# backup
> -# label programs that do backups to other files on disk (IE a cron job that
> -# calls tar) in backup_exec_t and label the directory for storing them as
> -# backup_store_t, Debian uses /var/backups
> +/usr/local/bin/backup-script	--	gen_context(system_u:object_r:backup_exec_t,s0)
>
> -#/usr/local/bin/backup-script	--	gen_context(system_u:object_r:backup_exec_t,s0)

This has traditionally been an example for a script.  Is there a distro 
that actually has this script?  If not, it should stay a comment.

> -
> -ifdef(`distro_debian',`
> -/etc/cron.daily/aptitude	--	gen_context(system_u:object_r:backup_exec_t,s0)
> -/etc/cron.daily/standard	--	gen_context(system_u:object_r:backup_exec_t,s0)
> -')
> +/etc/cron\.daily/aptitude	--	gen_context(system_u:object_r:backup_exec_t,s0)
> +/etc/cron\.daily/standard	--	gen_context(system_u:object_r:backup_exec_t,s0)
>
>   /var/backups(/.*)?			gen_context(system_u:object_r:backup_store_t,s0)
> diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if
> index 1017b7a..44ee47c 100644
> --- a/policy/modules/admin/backup.if
> +++ b/policy/modules/admin/backup.if
> @@ -2,7 +2,8 @@
>
>   ########################################
>   ##<summary>
> -##	Execute backup in the backup domain.
> +##	Execute a domain transition to run
> +##	Backup.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
> @@ -20,8 +21,9 @@ interface(`backup_domtrans',`
>
>   ########################################
>   ##<summary>
> -##	Execute backup in the backup domain, and
> -##	allow the specified role the backup domain.
> +##	Execute a domain transition to run
> +##	Backup, and allow the specified role
> +##	the Backup domain.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
> diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te
> index 0bfc958..e656c20 100644
> --- a/policy/modules/admin/backup.te
> +++ b/policy/modules/admin/backup.te
> @@ -51,7 +51,6 @@ corenet_sendrecv_all_client_packets(backup_t)
>
>   dev_getattr_all_blk_files(backup_t)
>   dev_getattr_all_chr_files(backup_t)
> -# for SSP
>   dev_read_urand(backup_t)

As far as I know, this is still true, so it should be kept.

>   domain_use_interactive_fds(backup_t)

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com