add backup, bug 1517

This commit is contained in:
Chris PeBenito 2006-04-24 18:58:46 +00:00
parent 8536924eec
commit 57f233b01f
5 changed files with 151 additions and 1 deletions

View File

@ -37,6 +37,7 @@
apt (Erich Schubert)
asterisk
audioentropy
backup
calamaris
cipe
clamav (Erich Schubert)

View File

@ -0,0 +1,7 @@
# backup
# label programs that do backups to other files on disk (IE a cron job that
# calls tar) in backup_exec_t and label the directory for storing them as
# backup_store_t, Debian uses /var/backups
#/usr/local/bin/backup-script -- gen_require(system_u:object_r:backup_exec_t,s0)
/var/backups(/.*)? gen_require(system_u:object_r:backup_store_t,s0)

View File

@ -0,0 +1,53 @@
## <summary>System backup scripts</summary>
########################################
## <summary>
## Execute backup in the backup domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`backup_domtrans',`
gen_require(`
type backup_t, backup_exec_t;
')
domain_auto_trans($1,backup_exec_t,backup_t)
allow backup_t $1:fd use;
allow backup_t $1:fifo_file rw_file_perms;
allow backup_t $1:process sigchld;
')
########################################
## <summary>
## Execute backup in the backup domain, and
## allow the specified role the backup domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the backup domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`backup_run',`
gen_require(`
type backup_t;
')
backup_domtrans($1)
role $2 types backup_t;
allow backup_t $3:chr_file rw_term_perms;
')

View File

@ -0,0 +1,85 @@
policy_module(backup,1.0.0)
########################################
#
# Declarations
#
type backup_t;
type backup_exec_t;
domain_type(backup_t)
domain_entry_file(backup_t,backup_exec_t)
role system_r types backup_t;
type backup_store_t;
files_type(backup_store_t)
########################################
#
# Local policy
#
allow backup_t self:capability dac_override;
allow backup_t self:process signal;
allow backup_t self:fifo_file rw_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
allow backup_t self:udp_socket create_socket_perms;
allow backup_t backup_store_t:dir ra_dir_perms;
allow backup_t backup_store_t:file { create rw_file_perms setattr };
allow backup_t backup_store_t:lnk_file { getattr read };
kernel_read_system_state(backup_t)
kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
corenet_non_ipsec_sendrecv(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
corenet_udp_sendrecv_generic_if(backup_t)
corenet_raw_sendrecv_generic_if(backup_t)
corenet_tcp_sendrecv_all_nodes(backup_t)
corenet_udp_sendrecv_all_nodes(backup_t)
corenet_raw_sendrecv_all_nodes(backup_t)
corenet_tcp_sendrecv_all_ports(backup_t)
corenet_udp_sendrecv_all_ports(backup_t)
corenet_tcp_bind_all_nodes(backup_t)
corenet_udp_bind_all_nodes(backup_t)
corenet_tcp_connect_all_ports(backup_t)
dev_getattr_all_blk_files(backup_t)
dev_getattr_all_chr_files(backup_t)
# for SSP
dev_read_urand(backup_t)
domain_use_interactive_fds(backup_t)
files_read_all_files(backup_t)
files_read_all_symlinks(backup_t)
files_getattr_all_pipes(backup_t)
files_getattr_all_sockets(backup_t)
fs_getattr_xattr_fs(backup_t)
fs_list_all(backup_t)
auth_read_shadow(backup_t)
libs_use_ld_so(backup_t)
libs_use_shared_libs(backup_t)
logging_send_syslog_msg(backup_t)
sysnet_read_config(backup_t)
optional_policy(`
cron_system_entry(backup_t,backup_exec_t)
')
optional_policy(`
hostname_exec(backup_t)
')
optional_policy(`
nis_use_ypbind(backup_t)
')

View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.3.17)
policy_module(userdomain,1.3.18)
gen_require(`
role sysadm_r, staff_r, user_r;
@ -211,6 +211,10 @@ ifdef(`targeted_policy',`
apt_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
backup_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
')