2005-04-29 17:45:15 +00:00
|
|
|
#DESC Backup - Backup scripts
|
|
|
|
#
|
|
|
|
# Author: Russell Coker <russell@coker.com.au>
|
|
|
|
# X-Debian-Packages: dpkg
|
|
|
|
#
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# Rules for the backup_t domain.
|
|
|
|
#
|
|
|
|
type backup_t, domain, privlog, auth;
|
|
|
|
type backup_exec_t, file_type, sysadmfile, exec_type;
|
|
|
|
|
|
|
|
type backup_store_t, file_type, sysadmfile;
|
|
|
|
|
|
|
|
role system_r types backup_t;
|
|
|
|
role sysadm_r types backup_t;
|
|
|
|
|
2005-10-13 14:09:28 +00:00
|
|
|
ifdef(`targeted_policy', `', `
|
2005-04-29 17:45:15 +00:00
|
|
|
domain_auto_trans(sysadm_t, backup_exec_t, backup_t)
|
2005-10-13 14:09:28 +00:00
|
|
|
')
|
2005-04-29 17:45:15 +00:00
|
|
|
allow backup_t privfd:fd use;
|
|
|
|
ifdef(`crond.te', `
|
|
|
|
system_crond_entry(backup_exec_t, backup_t)
|
|
|
|
rw_dir_create_file(system_crond_t, backup_store_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
# for SSP
|
|
|
|
allow backup_t urandom_device_t:chr_file read;
|
|
|
|
|
|
|
|
can_network_client(backup_t)
|
2005-09-12 21:40:56 +00:00
|
|
|
allow backup_t port_type:tcp_socket name_connect;
|
2005-04-29 17:45:15 +00:00
|
|
|
can_ypbind(backup_t)
|
|
|
|
uses_shlib(backup_t)
|
|
|
|
|
|
|
|
allow backup_t devtty_t:chr_file rw_file_perms;
|
|
|
|
|
|
|
|
allow backup_t { file_type fs_type }:dir r_dir_perms;
|
|
|
|
allow backup_t file_type:{ file lnk_file } r_file_perms;
|
|
|
|
allow backup_t file_type:{ sock_file fifo_file } getattr;
|
|
|
|
allow backup_t { device_t device_type ttyfile }:chr_file getattr;
|
|
|
|
allow backup_t { device_t device_type }:blk_file getattr;
|
|
|
|
allow backup_t var_t:file create_file_perms;
|
|
|
|
|
|
|
|
allow backup_t proc_t:dir r_dir_perms;
|
|
|
|
allow backup_t proc_t:file r_file_perms;
|
|
|
|
allow backup_t proc_t:lnk_file { getattr read };
|
|
|
|
read_sysctl(backup_t)
|
|
|
|
|
|
|
|
allow backup_t self:fifo_file rw_file_perms;
|
|
|
|
allow backup_t self:process { signal sigchld fork };
|
|
|
|
allow backup_t self:capability dac_override;
|
|
|
|
|
|
|
|
rw_dir_file(backup_t, backup_store_t)
|
|
|
|
allow backup_t backup_store_t:file { create setattr };
|
|
|
|
|
|
|
|
allow backup_t fs_t:filesystem getattr;
|
|
|
|
|
|
|
|
allow backup_t self:unix_stream_socket create_socket_perms;
|
|
|
|
|
|
|
|
can_exec(backup_t, bin_t)
|
|
|
|
ifdef(`hostname.te', `can_exec(backup_t, hostname_exec_t)')
|