add backup, bug 1517
This commit is contained in:
parent
8536924eec
commit
57f233b01f
@ -37,6 +37,7 @@
|
||||
apt (Erich Schubert)
|
||||
asterisk
|
||||
audioentropy
|
||||
backup
|
||||
calamaris
|
||||
cipe
|
||||
clamav (Erich Schubert)
|
||||
|
7
refpolicy/policy/modules/admin/backup.fc
Normal file
7
refpolicy/policy/modules/admin/backup.fc
Normal file
@ -0,0 +1,7 @@
|
||||
# backup
|
||||
# label programs that do backups to other files on disk (IE a cron job that
|
||||
# calls tar) in backup_exec_t and label the directory for storing them as
|
||||
# backup_store_t, Debian uses /var/backups
|
||||
|
||||
#/usr/local/bin/backup-script -- gen_require(system_u:object_r:backup_exec_t,s0)
|
||||
/var/backups(/.*)? gen_require(system_u:object_r:backup_store_t,s0)
|
53
refpolicy/policy/modules/admin/backup.if
Normal file
53
refpolicy/policy/modules/admin/backup.if
Normal file
@ -0,0 +1,53 @@
|
||||
## <summary>System backup scripts</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute backup in the backup domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`backup_domtrans',`
|
||||
gen_require(`
|
||||
type backup_t, backup_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,backup_exec_t,backup_t)
|
||||
allow backup_t $1:fd use;
|
||||
allow backup_t $1:fifo_file rw_file_perms;
|
||||
allow backup_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute backup in the backup domain, and
|
||||
## allow the specified role the backup domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the backup domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`backup_run',`
|
||||
gen_require(`
|
||||
type backup_t;
|
||||
')
|
||||
|
||||
backup_domtrans($1)
|
||||
role $2 types backup_t;
|
||||
allow backup_t $3:chr_file rw_term_perms;
|
||||
')
|
85
refpolicy/policy/modules/admin/backup.te
Normal file
85
refpolicy/policy/modules/admin/backup.te
Normal file
@ -0,0 +1,85 @@
|
||||
|
||||
policy_module(backup,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type backup_t;
|
||||
type backup_exec_t;
|
||||
domain_type(backup_t)
|
||||
domain_entry_file(backup_t,backup_exec_t)
|
||||
role system_r types backup_t;
|
||||
|
||||
type backup_store_t;
|
||||
files_type(backup_store_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow backup_t self:capability dac_override;
|
||||
allow backup_t self:process signal;
|
||||
allow backup_t self:fifo_file rw_file_perms;
|
||||
allow backup_t self:tcp_socket create_socket_perms;
|
||||
allow backup_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow backup_t backup_store_t:dir ra_dir_perms;
|
||||
allow backup_t backup_store_t:file { create rw_file_perms setattr };
|
||||
allow backup_t backup_store_t:lnk_file { getattr read };
|
||||
|
||||
kernel_read_system_state(backup_t)
|
||||
kernel_read_kernel_sysctls(backup_t)
|
||||
|
||||
corecmd_exec_bin(backup_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(backup_t)
|
||||
corenet_tcp_sendrecv_generic_if(backup_t)
|
||||
corenet_udp_sendrecv_generic_if(backup_t)
|
||||
corenet_raw_sendrecv_generic_if(backup_t)
|
||||
corenet_tcp_sendrecv_all_nodes(backup_t)
|
||||
corenet_udp_sendrecv_all_nodes(backup_t)
|
||||
corenet_raw_sendrecv_all_nodes(backup_t)
|
||||
corenet_tcp_sendrecv_all_ports(backup_t)
|
||||
corenet_udp_sendrecv_all_ports(backup_t)
|
||||
corenet_tcp_bind_all_nodes(backup_t)
|
||||
corenet_udp_bind_all_nodes(backup_t)
|
||||
corenet_tcp_connect_all_ports(backup_t)
|
||||
|
||||
dev_getattr_all_blk_files(backup_t)
|
||||
dev_getattr_all_chr_files(backup_t)
|
||||
# for SSP
|
||||
dev_read_urand(backup_t)
|
||||
|
||||
domain_use_interactive_fds(backup_t)
|
||||
|
||||
files_read_all_files(backup_t)
|
||||
files_read_all_symlinks(backup_t)
|
||||
files_getattr_all_pipes(backup_t)
|
||||
files_getattr_all_sockets(backup_t)
|
||||
|
||||
fs_getattr_xattr_fs(backup_t)
|
||||
fs_list_all(backup_t)
|
||||
|
||||
auth_read_shadow(backup_t)
|
||||
|
||||
libs_use_ld_so(backup_t)
|
||||
libs_use_shared_libs(backup_t)
|
||||
|
||||
logging_send_syslog_msg(backup_t)
|
||||
|
||||
sysnet_read_config(backup_t)
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(backup_t,backup_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(backup_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(backup_t)
|
||||
')
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain,1.3.17)
|
||||
policy_module(userdomain,1.3.18)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r;
|
||||
@ -211,6 +211,10 @@ ifdef(`targeted_policy',`
|
||||
apt_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
backup_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user