[selinux-policy: 2888/3172] Clean up Amanda module.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:17:11 UTC 2010
commit 8296eb22619f521aced6a9f11064367735cd5223
Author: Dominick Grift <domg472 at gmail.com>
Date: Fri Sep 3 17:46:51 2010 +0200
Clean up Amanda module.
Signed-off-by: Dominick Grift <domg472 at gmail.com>
policy/modules/admin/amanda.fc | 4 +---
policy/modules/admin/amanda.if | 28 ++++++++++++++++------------
policy/modules/admin/amanda.te | 21 ++-------------------
3 files changed, 19 insertions(+), 34 deletions(-)
---
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index 734bd71..e3e0701 100644
--- a/policy/modules/admin/amanda.fc
+++ b/policy/modules/admin/amanda.fc
@@ -1,4 +1,3 @@
-
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
@@ -8,13 +7,12 @@
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
-/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0)
-
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
index d1d035e..8498e97 100644
--- a/policy/modules/admin/amanda.if
+++ b/policy/modules/admin/amanda.if
@@ -1,8 +1,9 @@
-## <summary>Automated backup program.</summary>
+## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
########################################
## <summary>
-## Execute amrecover in the amanda_recover domain.
+## Execute a domain transition to run
+## Amanda recover.
## </summary>
## <param name="domain">
## <summary>
@@ -15,13 +16,15 @@ interface(`amanda_domtrans_recover',`
type amanda_recover_t, amanda_recover_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
')
########################################
## <summary>
-## Execute amrecover in the amanda_recover domain, and
-## allow the specified role the amanda_recover domain.
+## Execute a domain transition to run
+## Amanda recover, and allow the specified
+## role the Amanda recover domain.
## </summary>
## <param name="domain">
## <summary>
@@ -46,7 +49,7 @@ interface(`amanda_run_recover',`
########################################
## <summary>
-## Search amanda library directories.
+## Search Amanda library directories.
## </summary>
## <param name="domain">
## <summary>
@@ -59,8 +62,8 @@ interface(`amanda_search_lib',`
type amanda_usr_lib_t;
')
- allow $1 amanda_usr_lib_t:dir search_dir_perms;
files_search_usr($1)
+ allow $1 amanda_usr_lib_t:dir search_dir_perms;
')
########################################
@@ -83,7 +86,7 @@ interface(`amanda_dontaudit_read_dumpdates',`
########################################
## <summary>
-## Allow read/writing /etc/dumpdates.
+## Read and write /etc/dumpdates.
## </summary>
## <param name="domain">
## <summary>
@@ -96,12 +99,13 @@ interface(`amanda_rw_dumpdates_files',`
type amanda_dumpdates_t;
')
+ files_search_etc($1)
allow $1 amanda_dumpdates_t:file rw_file_perms;
')
########################################
## <summary>
-## Search amanda library directories.
+## Search Amanda library directories.
## </summary>
## <param name="domain">
## <summary>
@@ -114,13 +118,13 @@ interface(`amanda_manage_lib',`
type amanda_usr_lib_t;
')
- allow $1 amanda_usr_lib_t:dir manage_dir_perms;
files_search_usr($1)
+ allow $1 amanda_usr_lib_t:dir manage_dir_perms;
')
########################################
## <summary>
-## Allow read/writing amanda logs
+## Read and append amanda logs.
## </summary>
## <param name="domain">
## <summary>
@@ -133,12 +137,13 @@ interface(`amanda_append_log_files',`
type amanda_log_t;
')
+ logging_search_logs($1)
allow $1 amanda_log_t:file { read_file_perms append_file_perms };
')
#######################################
## <summary>
-## Search amanda var library directories.
+## Search Amanda var library directories.
## </summary>
## <param name="domain">
## <summary>
@@ -153,5 +158,4 @@ interface(`amanda_search_var_lib',`
files_search_var_lib($1)
allow $1 amanda_var_lib_t:dir search_dir_perms;
-
')
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 8b6bef6..123ab37 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -16,44 +16,35 @@ domain_entry_file(amanda_t, amanda_exec_t)
type amanda_log_t;
logging_log_file(amanda_log_t)
-# type for amanda configurations files
type amanda_config_t;
files_type(amanda_config_t)
-# type for files in /usr/lib/amanda
type amanda_usr_lib_t;
files_type(amanda_usr_lib_t)
-# type for all files in /var/lib/amanda
type amanda_var_lib_t;
files_type(amanda_var_lib_t)
-# type for all files in /var/lib/amanda/gnutar-lists/
type amanda_gnutarlists_t;
files_type(amanda_gnutarlists_t)
type amanda_tmp_t;
files_tmp_file(amanda_tmp_t)
-# type for /etc/amandates
type amanda_amandates_t;
files_type(amanda_amandates_t)
-# type for /etc/dumpdates
type amanda_dumpdates_t;
files_type(amanda_dumpdates_t)
-# type for amanda data
type amanda_data_t;
files_type(amanda_data_t)
-# type for amrecover
type amanda_recover_t;
type amanda_recover_exec_t;
application_domain(amanda_recover_t, amanda_recover_exec_t)
role system_r types amanda_recover_t;
-# type for recover files ( restored data )
type amanda_recover_dir_t;
files_type(amanda_recover_dir_t)
@@ -74,24 +65,19 @@ allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
allow amanda_t self:udp_socket create_socket_perms;
-# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file rw_file_perms;
-# configuration files -> read only
allow amanda_t amanda_config_t:file read_file_perms;
-# access to amandas data structure
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
-# access to amanda_dumpdates_t
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
can_exec(amanda_t, amanda_exec_t)
can_exec(amanda_t, amanda_inetd_exec_t)
-# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
@@ -151,19 +137,17 @@ storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
storage_write_tape(amanda_t)
-# Added for targeted policy
term_use_unallocated_ttys(amanda_t)
auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t)
-optional_policy(`
- logging_send_syslog_msg(amanda_t)
-')
+logging_send_syslog_msg(amanda_t)
########################################
#
# Amanda recover local policy
+#
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
allow amanda_recover_t self:process { sigkill sigstop signal };
@@ -175,7 +159,6 @@ allow amanda_recover_t self:udp_socket create_socket_perms;
manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
-# access to amanda_recover_dir_t
manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
More information about the scm-commits
mailing list