From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 09 Sep 2010 10:54:11 -0400
Subject: [refpolicy] [Backup 1/1] Clean up the Back up modules.
In-Reply-To: <20100909123805.GC16089@localhost.localdomain>
References: <20100903155055.GA27727@localhost.localdomain>	<4C88D330.4070705@tresys.com>
	<20100909123805.GC16089@localhost.localdomain>
Message-ID: <4C88F513.70206@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/09/10 08:38, Dominick Grift wrote:
> On Thu, Sep 09, 2010 at 08:29:36AM -0400, Christopher J. PeBenito wrote:
>> On 09/03/10 11:50, Dominick Grift wrote:
>>> Signed-off-by: Dominick Grift<domg472@gmail.com>
>>> ---
>>> :100644 100644 223b7f2... d924d71... M	policy/modules/admin/backup.fc
>>> :100644 100644 1017b7a... 44ee47c... M	policy/modules/admin/backup.if
>>> :100644 100644 0bfc958... e656c20... M	policy/modules/admin/backup.te
>>>   policy/modules/admin/backup.fc |   13 +++----------
>>>   policy/modules/admin/backup.if |    8 +++++---
>>>   policy/modules/admin/backup.te |    1 -
>>>   3 files changed, 8 insertions(+), 14 deletions(-)
>>>
>>> diff --git a/policy/modules/admin/backup.fc b/policy/modules/admin/backup.fc
>>> index 223b7f2..d924d71 100644
>>> --- a/policy/modules/admin/backup.fc
>>> +++ b/policy/modules/admin/backup.fc
>>> @@ -1,13 +1,6 @@
>>> -# backup
>>> -# label programs that do backups to other files on disk (IE a cron job that
>>> -# calls tar) in backup_exec_t and label the directory for storing them as
>>> -# backup_store_t, Debian uses /var/backups
>>> +/usr/local/bin/backup-script	--	gen_context(system_u:object_r:backup_exec_t,s0)
>>>
>>> -#/usr/local/bin/backup-script	--	gen_context(system_u:object_r:backup_exec_t,s0)
>>
>> This has traditionally been an example for a script.  Is there a
>> distro that actually has this script?  If not, it should stay a
>> comment.
>
> We already have an example policy in doc/. Maybe we should just remove this module altogether?

I think you might be misunderstanding.  I'm only saying that the above 
/usr/local/bin/backup-script file context should remain commented unless 
there is a distro that actually has it.  The policy should stay since 
the below scripts use it.  If they are gone on debian, then we can 
consider removing it.

>>> -
>>> -ifdef(`distro_debian',`
>>> -/etc/cron.daily/aptitude	--	gen_context(system_u:object_r:backup_exec_t,s0)
>>> -/etc/cron.daily/standard	--	gen_context(system_u:object_r:backup_exec_t,s0)
>>> -')
>>> +/etc/cron\.daily/aptitude	--	gen_context(system_u:object_r:backup_exec_t,s0)
>>> +/etc/cron\.daily/standard	--	gen_context(system_u:object_r:backup_exec_t,s0)
>>>
>>>   /var/backups(/.*)?			gen_context(system_u:object_r:backup_store_t,s0)
>>> diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if
>>> index 1017b7a..44ee47c 100644
>>> --- a/policy/modules/admin/backup.if
>>> +++ b/policy/modules/admin/backup.if
>>> @@ -2,7 +2,8 @@
>>>
>>>   ########################################
>>>   ##<summary>
>>> -##	Execute backup in the backup domain.
>>> +##	Execute a domain transition to run
>>> +##	Backup.
>>>   ##</summary>
>>>   ##<param name="domain">
>>>   ##	<summary>
>>> @@ -20,8 +21,9 @@ interface(`backup_domtrans',`
>>>
>>>   ########################################
>>>   ##<summary>
>>> -##	Execute backup in the backup domain, and
>>> -##	allow the specified role the backup domain.
>>> +##	Execute a domain transition to run
>>> +##	Backup, and allow the specified role
>>> +##	the Backup domain.
>>>   ##</summary>
>>>   ##<param name="domain">
>>>   ##	<summary>
>>> diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te
>>> index 0bfc958..e656c20 100644
>>> --- a/policy/modules/admin/backup.te
>>> +++ b/policy/modules/admin/backup.te
>>> @@ -51,7 +51,6 @@ corenet_sendrecv_all_client_packets(backup_t)
>>>
>>>   dev_getattr_all_blk_files(backup_t)
>>>   dev_getattr_all_chr_files(backup_t)
>>> -# for SSP
>>>   dev_read_urand(backup_t)
>>
>> As far as I know, this is still true, so it should be kept.
>
> What is true that ssp requires urandom, or the the backup domain needs dev_read_urandom.
> Eitherway i just removed to comment not the interface call.
>
> But i can tell you from experience that a backup script does not usually need access to urandom.

That's precisely why I want to keep the comment.  If we know why the 
rule is there in refpolicy, then people that want to customize the 
policy can remove it if they know that they don't use SSP.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com