This patch aims to clean up the amanda module and to apply trivial redhat modifications to refpolicy amanda module. Note: fstools_signal() call did not exist and there was also no redhat patch for this interface, and so i created one myself. However , i do not know for sure if only signal perm was meant with fstools_signal: http://people.fedoraproject.org/~dwalsh/SELinux/Policy/admin_amanda.patch refer to [refpolicy patch 2/2] revisit and apply trivial modifications to fstools module. Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/admin/amanda.if =================================================================== --- /home/domg472/Workspace/refpolicy_trunk/policy/modules/admin/amanda.if (revision 2761) +++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/admin/amanda.if (working copy) @@ -15,7 +15,7 @@ type amanda_recover_t, amanda_recover_exec_t; ') - domtrans_pattern($1,amanda_recover_exec_t,amanda_recover_t) + domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) ') ######################################## @@ -47,7 +47,7 @@ amanda_domtrans_recover($1) role $2 types amanda_recover_t; - allow amanda_recover_t $3:chr_file rw_term_perms; + rw_chr_files_pattern(amanda_recover_t, $3, $3) ') ######################################## @@ -65,8 +65,8 @@ type amanda_usr_lib_t; ') - allow $1 amanda_usr_lib_t:dir search_dir_perms; files_search_usr($1) + search_dirs_pattern($1, amanda_usr_lib_t, amanda_usr_lib_t) ') ######################################## @@ -102,7 +102,7 @@ type amanda_dumpdates_t; ') - allow $1 amanda_dumpdates_t:file rw_file_perms; + rw_files_pattern($1, amanda_dumpdates_t, amanda_dumpdates_t) ') ######################################## @@ -120,8 +120,8 @@ type amanda_usr_lib_t; ') - allow $1 amanda_usr_lib_t:dir manage_dir_perms; files_search_usr($1) + manage_dirs_pattern($1, amanda_usr_lib_t, amanda_usr_lib_t) ') ######################################## @@ -139,7 +139,8 @@ type amanda_log_t; ') - allow $1 amanda_log_t:file { read_file_perms append_file_perms }; + read_files_pattern($1, amanda_log_t, amanda_log_t) + append_files_pattern($1, amanda_log_t, amanda_log_t) ') ####################################### @@ -158,6 +159,5 @@ ') files_search_var_lib($1) - allow $1 amanda_var_lib_t:dir search_dir_perms; - + search_dirs_pattern($1, amanda_var_lib_t, amanda_var_lib_t) ') Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/admin/amanda.te =================================================================== --- /home/domg472/Workspace/refpolicy_trunk/policy/modules/admin/amanda.te (revision 2761) +++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/admin/amanda.te (working copy) @@ -8,53 +8,44 @@ type amanda_t; type amanda_inetd_exec_t; -inetd_service_domain(amanda_t,amanda_inetd_exec_t) +inetd_service_domain(amanda_t, amanda_inetd_exec_t) role system_r types amanda_t; type amanda_exec_t; -domain_entry_file(amanda_t,amanda_exec_t) +domain_entry_file(amanda_t, amanda_exec_t) type amanda_log_t; logging_log_file(amanda_log_t) -# type for amanda configurations files type amanda_config_t; files_type(amanda_config_t) -# type for files in /usr/lib/amanda type amanda_usr_lib_t; files_type(amanda_usr_lib_t) -# type for all files in /var/lib/amanda type amanda_var_lib_t; files_type(amanda_var_lib_t) -# type for all files in /var/lib/amanda/gnutar-lists/ type amanda_gnutarlists_t; files_type(amanda_gnutarlists_t) type amanda_tmp_t; files_tmp_file(amanda_tmp_t) -# type for /etc/amandates type amanda_amandates_t; files_type(amanda_amandates_t) -# type for /etc/dumpdates type amanda_dumpdates_t; files_type(amanda_dumpdates_t) -# type for amanda data type amanda_data_t; files_type(amanda_data_t) -# type for amrecover type amanda_recover_t; type amanda_recover_exec_t; -application_domain(amanda_recover_t,amanda_recover_exec_t) +application_domain(amanda_recover_t, amanda_recover_exec_t) role system_r types amanda_recover_t; -# type for recover files ( restored data ) type amanda_recover_dir_t; files_type(amanda_recover_dir_t) @@ -75,38 +66,31 @@ allow amanda_t self:tcp_socket create_stream_socket_perms; allow amanda_t self:udp_socket create_socket_perms; -# access to amanda_amandates_t -allow amanda_t amanda_amandates_t:file { getattr lock read write }; +can_exec(amanda_t, amanda_exec_t) +can_exec(amanda_t, amanda_inetd_exec_t) -# configuration files -> read only -allow amanda_t amanda_config_t:file { getattr read }; +manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) -# access to amandas data structure -allow amanda_t amanda_data_t:dir { read search write }; -allow amanda_t amanda_data_t:file manage_file_perms; +manage_files_pattern(amanda_t, amanda_gnutarlists_t, amanda_gnutarlists_t) +manage_lnk_files_pattern(amanda_t, amanda_gnutarlists_t, amanda_gnutarlists_t) -# access to amanda_dumpdates_t -allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; - -can_exec(amanda_t,amanda_exec_t) -can_exec(amanda_t,amanda_inetd_exec_t) - -# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) -allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; -allow amanda_t amanda_gnutarlists_t:file manage_file_perms; -allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; - manage_dirs_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t) manage_files_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t) -manage_files_pattern(amanda_t,amanda_log_t,amanda_log_t) -manage_dirs_pattern(amanda_t,amanda_log_t,amanda_log_t) -logging_log_filetrans(amanda_t,amanda_log_t,{ file dir }) +manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) +manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) +logging_log_filetrans(amanda_t, amanda_log_t, { file dir }) -manage_files_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t) -manage_dirs_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t) +manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) +manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir }) +read_files_pattern(amanda_t, amanda_config_t, amanda_config_t) + +rw_files_pattern(amanda_t, amanda_dumpdates_t, amanda_dumpdates_t) + +rw_files_pattern(amanda_t, amanda_amandates_t, amanda_amandates_t) + kernel_read_system_state(amanda_t) kernel_read_kernel_sysctls(amanda_t) kernel_dontaudit_getattr_unlabeled_files(amanda_t) @@ -145,9 +129,13 @@ fs_getattr_xattr_fs(amanda_t) fs_list_all(amanda_t) +fstools_domtrans(amanda_t) +fstools_signal(amanda_t) + storage_raw_read_fixed_disk(amanda_t) +storage_read_tape(amanda_t) +storage_write_tape(amanda_t) -# Added for targeted policy term_use_unallocated_ttys(amanda_t) auth_use_nsswitch(amanda_t) @@ -156,11 +144,8 @@ libs_use_ld_so(amanda_t) libs_use_shared_libs(amanda_t) +logging_send_syslog_msg(amanda_t) -optional_policy(` - logging_send_syslog_msg(amanda_t) -') - ######################################## # # Amanda recover local policy @@ -172,23 +157,22 @@ allow amanda_recover_t self:tcp_socket create_stream_socket_perms; allow amanda_recover_t self:udp_socket create_socket_perms; -manage_files_pattern(amanda_recover_t,amanda_log_t,amanda_log_t) -manage_lnk_files_pattern(amanda_recover_t,amanda_log_t,amanda_log_t) +manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) +manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) -# access to amanda_recover_dir_t -manage_dirs_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t) -manage_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t) -manage_lnk_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t) -manage_fifo_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t) -manage_sock_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t) -sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file }) +manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +sysadm_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file }) -manage_dirs_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t) -manage_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t) -manage_lnk_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t) -manage_fifo_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t) -manage_sock_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t) -files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file }) +manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +manage_lnk_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file }) kernel_read_system_state(amanda_recover_t) kernel_read_kernel_sysctls(amanda_recover_t) @@ -219,8 +203,6 @@ auth_use_nsswitch(amanda_recover_t) -fstools_domtrans(amanda_t) - libs_use_ld_so(amanda_recover_t) libs_use_shared_libs(amanda_recover_t) -- Dominick Grift <domg472@xxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
