Clean up Amanda module.

Signed-off-by: Dominick Grift <domg472@gmail.com>

policy/modules/admin/amanda.fc

@@ -1,4 +1,3 @@
-
 /etc/amanda(/.*)?			gen_context(system_u:object_r:amanda_config_t,s0)
 /etc/amanda/.*/tapelist(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
 /etc/amandates				gen_context(system_u:object_r:amanda_amandates_t,s0)
@@ -8,13 +7,12 @@
 
 /root/restore			-d	gen_context(system_u:object_r:amanda_recover_dir_t,s0)
 
-/tmp/amanda(/.*)?			gen_context(system_u:object_r:amanda_tmp_t,s0)
-
 /usr/lib(64)?/amanda		-d	gen_context(system_u:object_r:amanda_usr_lib_t,s0)
 /usr/lib(64)?/amanda/.+		--	gen_context(system_u:object_r:amanda_exec_t,s0)
 /usr/lib(64)?/amanda/amandad	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 /usr/lib(64)?/amanda/amidxtaped	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 /usr/lib(64)?/amanda/amindexd	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
 /usr/sbin/amrecover		--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
 
 /var/lib/amanda			-d	gen_context(system_u:object_r:amanda_var_lib_t,s0)

policy/modules/admin/amanda.if

@@ -1,8 +1,9 @@
-## <summary>Automated backup program.</summary>
+## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
 
 ########################################
 ## <summary>
-##	Execute amrecover in the amanda_recover domain.
+##	Execute a domain transition to run
+##	Amanda recover.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -15,13 +16,15 @@ interface(`amanda_domtrans_recover',`
 		type amanda_recover_t, amanda_recover_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute amrecover in the amanda_recover domain, and
+##	Execute a domain transition to run
-##	allow the specified role the amanda_recover domain.
+##	Amanda recover, and allow the specified
+##	role the Amanda recover domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -46,7 +49,7 @@ interface(`amanda_run_recover',`
 
 ########################################
 ## <summary>
-##	Search amanda library directories.
+##	Search Amanda library directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59,8 +62,8 @@ interface(`amanda_search_lib',`
 		type amanda_usr_lib_t;
 	')
 
-	allow $1 amanda_usr_lib_t:dir search_dir_perms;
 	files_search_usr($1)
+	allow $1 amanda_usr_lib_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -83,7 +86,7 @@ interface(`amanda_dontaudit_read_dumpdates',`
 
 ########################################
 ## <summary>
-##	Allow read/writing /etc/dumpdates.
+##	Read and write /etc/dumpdates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -96,12 +99,13 @@ interface(`amanda_rw_dumpdates_files',`
 		type amanda_dumpdates_t;
 	')
 
+	files_search_etc($1)
 	allow $1 amanda_dumpdates_t:file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Search amanda library directories.
+##	Search Amanda library directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -114,13 +118,13 @@ interface(`amanda_manage_lib',`
 		type amanda_usr_lib_t;
 	')
 
-	allow $1 amanda_usr_lib_t:dir manage_dir_perms;
 	files_search_usr($1)
+	allow $1 amanda_usr_lib_t:dir manage_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Allow read/writing amanda logs
+##	Read and append amanda logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -133,12 +137,13 @@ interface(`amanda_append_log_files',`
 		type amanda_log_t;
 	')
 
+	logging_search_logs($1)
 	allow $1 amanda_log_t:file { read_file_perms append_file_perms };
 ')
 
 #######################################
 ## <summary>
-##	Search amanda var library directories.
+##	Search Amanda var library directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -153,5 +158,4 @@ interface(`amanda_search_var_lib',`
 
 	files_search_var_lib($1)
 	allow $1 amanda_var_lib_t:dir search_dir_perms;
-
 ')

policy/modules/admin/amanda.te

@@ -16,44 +16,35 @@ domain_entry_file(amanda_t, amanda_exec_t)
 type amanda_log_t;
 logging_log_file(amanda_log_t)
 
-# type for amanda configurations files
 type amanda_config_t;
 files_type(amanda_config_t)
 
-# type for files in /usr/lib/amanda
 type amanda_usr_lib_t;
 files_type(amanda_usr_lib_t)
 
-# type for all files in /var/lib/amanda
 type amanda_var_lib_t;
 files_type(amanda_var_lib_t)
 
-# type for all files in /var/lib/amanda/gnutar-lists/
 type amanda_gnutarlists_t;
 files_type(amanda_gnutarlists_t)
 
 type amanda_tmp_t;
 files_tmp_file(amanda_tmp_t)
 
-# type for /etc/amandates
 type amanda_amandates_t;
 files_type(amanda_amandates_t)
 
-# type for /etc/dumpdates
 type amanda_dumpdates_t;
 files_type(amanda_dumpdates_t)
 
-# type for amanda data
 type amanda_data_t;
 files_type(amanda_data_t)
 
-# type for amrecover
 type amanda_recover_t;
 type amanda_recover_exec_t;
 application_domain(amanda_recover_t, amanda_recover_exec_t)
 role system_r types amanda_recover_t;
 
-# type for recover files ( restored data )
 type amanda_recover_dir_t;
 files_type(amanda_recover_dir_t)
 
@@ -74,24 +65,19 @@ allow amanda_t self:unix_dgram_socket create_socket_perms;
 allow amanda_t self:tcp_socket create_stream_socket_perms;
 allow amanda_t self:udp_socket create_socket_perms;
 
-# access to amanda_amandates_t
 allow amanda_t amanda_amandates_t:file rw_file_perms;
 
-# configuration files -> read only
 allow amanda_t amanda_config_t:file read_file_perms;
 
-# access to amandas data structure
 manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
 manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
 
-# access to amanda_dumpdates_t
 allow amanda_t amanda_dumpdates_t:file rw_file_perms;
 
 can_exec(amanda_t, amanda_exec_t)
 can_exec(amanda_t, amanda_inetd_exec_t)
 
-# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
 allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
 allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
 allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
@@ -151,19 +137,17 @@ storage_raw_read_fixed_disk(amanda_t)
 storage_read_tape(amanda_t)
 storage_write_tape(amanda_t)
 
-# Added for targeted policy
 term_use_unallocated_ttys(amanda_t)
 
 auth_use_nsswitch(amanda_t)
 auth_read_shadow(amanda_t)
 
-optional_policy(`
+logging_send_syslog_msg(amanda_t)
-	logging_send_syslog_msg(amanda_t)
-')
 
 ########################################
 #
 # Amanda recover local policy
+#
 
 allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
 allow amanda_recover_t self:process { sigkill sigstop signal };
@@ -175,7 +159,6 @@ allow amanda_recover_t self:udp_socket create_socket_perms;
 manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
 manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
 
-# access to amanda_recover_dir_t
 manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
 manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
 manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)