From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 1 Mar 2012 21:18:03 +0100 Subject: [refpolicy] [PATCH 1/2] Policy for Bacula In-Reply-To: <20120301201716.GB17815@siphos.be> References: <20120301201716.GB17815@siphos.be> Message-ID: <20120301201803.GC17815@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This adds a new SELinux module "bacula" for the bacula backup application. Directly mapping bacula on the existing backup module was not feasible (partially because it uses both a general domain and an administrative client domain). Policy provided by Stan Sander through https://bugs.gentoo.org/show_bug.cgi?id=396241. Policy updated with comments from Christopher J. PeBenito. Signed-off-by: Sven Vermeulen --- bacula.fc | 20 ++++++++++ bacula.if | 45 ++++++++++++++++++++++ bacula.te | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 187 insertions(+), 0 deletions(-) create mode 100644 bacula.fc create mode 100644 bacula.if create mode 100644 bacula.te diff --git a/bacula.fc b/bacula.fc new file mode 100644 index 0000000..b70b6d2 --- /dev/null +++ b/bacula.fc @@ -0,0 +1,20 @@ +# +# /usr +# +/usr/sbin/bacula-(.*)? -- gen_context(system_u:object_r:bacula_exec_t,s0) +/usr/sbin/bat gen_context(system_u:object_r:bacula_admin_exec_t,s0) +/usr/sbin/bconsole gen_context(system_u:object_r:bacula_admin_exec_t,s0) + +# +# /etc +# +/etc/bacula(/.*)? gen_context(system_u:object_r:bacula_etc_t,s0) + +# +# /var +# +/var/lib/bacula(/.*)? gen_context(system_u:object_r:bacula_var_lib_t,s0) + +# A separate disk for backups mounted at /bacula or beginning with +# /bacula also matches a restore directory like /bacula-restores +/bacula(.*)? gen_context(system_u:object_r:bacula_store_t,s0) diff --git a/bacula.if b/bacula.if new file mode 100644 index 0000000..6b1722e --- /dev/null +++ b/bacula.if @@ -0,0 +1,45 @@ +## bacula backup program + +######################################## +## +## Execute user interfaces in the bacula_admin domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`bacula_domtrans_admin',` + gen_require(` + type bacula_admin_t, bacula_admin_exec_t; + ') + + domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t) +') + +######################################## +## +## Execute user interfaces in the bacula_admin domain, and +## allow the specified role to transition to the bacula_admin domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`bacula_run_admin',` + gen_require(` + type bacula_admin_t; + ') + + bacula_domtrans_admin($1) + role $2 types bacula_admin_t; +') diff --git a/bacula.te b/bacula.te new file mode 100644 index 0000000..f2ad364 --- /dev/null +++ b/bacula.te @@ -0,0 +1,122 @@ +policy_module(bacula, 1.0.0) + +######################################## +# +# Declarations +# + +type bacula_t; +type bacula_exec_t; +init_daemon_domain(bacula_t, bacula_exec_t) + +type bacula_etc_t; +files_type(bacula_etc_t) + +type bacula_store_t; +files_type(bacula_store_t) +files_mountpoint(bacula_store_t) + +type bacula_var_lib_t; +files_type(bacula_var_lib_t) + +type bacula_var_run_t; +files_pid_file(bacula_var_run_t) + +type bacula_admin_t; +type bacula_admin_exec_t; +application_domain(bacula_admin_t, bacula_admin_exec_t) + +######################################## +# +# Local policy - bacula daemon +# + +allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid}; +allow bacula_t self:process signal; +allow bacula_t self:fifo_file rw_fifo_file_perms; +allow bacula_t self:tcp_socket create_stream_socket_perms; +allow bacula_t self:udp_socket create_socket_perms; +allow bacula_t self:netlink_route_socket create_netlink_socket_perms; + +read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t) + +manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t) +manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t) +manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t) + +manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t) +files_var_lib_filetrans(bacula_t, bacula_var_lib_t, file) + +allow bacula_t bacula_var_run_t:file { create_file_perms write_file_perms unlink}; +files_pid_filetrans(bacula_t, bacula_var_run_t, file) + +kernel_read_kernel_sysctls(bacula_t) +kernel_read_system_state(bacula_t) + +corecmd_exec_bin(bacula_t) +corecmd_exec_shell(bacula_t) + +corenet_tcp_bind_generic_node(bacula_t) +corenet_udp_bind_generic_node(bacula_t) +corenet_tcp_bind_generic_port(bacula_t) +corenet_udp_bind_generic_port(bacula_t) +corenet_tcp_bind_hplip_port(bacula_t) +corenet_udp_bind_hplip_port(bacula_t) +corenet_tcp_connect_all_ports(bacula_t) +corenet_tcp_connect_smtp_port(bacula_t) +# Bacula's default port are listed already under hplip + +dev_getattr_all_blk_files(bacula_t) +dev_getattr_all_chr_files(bacula_t) + +files_dontaudit_getattr_all_sockets(bacula_t) +files_read_all_files(bacula_t) +files_read_all_symlinks(bacula_t) + +fs_getattr_xattr_fs(bacula_t) +fs_list_all(bacula_t) + +auth_read_shadow(bacula_t) + +logging_send_syslog_msg(bacula_t) + +optional_policy(` + mysql_stream_connect(bacula_t) + mysql_tcp_connect(bacula_t) +') + +optional_policy(` + nis_use_ypbind(bacula_t) +') + +optional_policy(` + sysnet_use_ldap(bacula_t) + ldap_stream_connect(bacula_t) +') + + +######################################## +# +# Local policy - bacula admin client +# +allow bacula_admin_t self:process signal; +allow bacula_admin_t self:tcp_socket create_stream_socket_perms; +allow bacula_admin_t self:dgram_socket_class_set create_socket_perms; + +read_files_pattern(bacula_admin_t, bacula_etc_t, bacula_etc_t) + +corenet_tcp_connect_hplip_port(bacula_admin_t) +corenet_udp_sendrecv_hplip_port(bacula_admin_t) + +domain_use_interactive_fds(bacula_admin_t) + +files_read_etc_files(bacula_admin_t) + +miscfiles_read_localization(bacula_admin_t) + +sysnet_dns_name_resolve(bacula_admin_t) + +userdom_dontaudit_search_user_home_dirs(bacula_admin_t) +userdom_use_user_ptys(bacula_admin_t) + + -- 1.7.3.4