Chris PeBenito 31b7c0
#DESC Backup - Backup scripts
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 31b7c0
# X-Debian-Packages: dpkg
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Rules for the backup_t domain.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
type backup_t, domain, privlog, auth;
Chris PeBenito 31b7c0
type backup_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
type backup_store_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
role system_r types backup_t;
Chris PeBenito 31b7c0
role sysadm_r types backup_t;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`targeted_policy', `', `
Chris PeBenito 31b7c0
domain_auto_trans(sysadm_t, backup_exec_t, backup_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
allow backup_t privfd:fd use;
Chris PeBenito 31b7c0
ifdef(`crond.te', `
Chris PeBenito 31b7c0
system_crond_entry(backup_exec_t, backup_t)
Chris PeBenito 31b7c0
rw_dir_create_file(system_crond_t, backup_store_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for SSP
Chris PeBenito 31b7c0
allow backup_t urandom_device_t:chr_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
can_network_client(backup_t)
Chris PeBenito 31b7c0
allow backup_t port_type:tcp_socket name_connect;
Chris PeBenito 31b7c0
can_ypbind(backup_t)
Chris PeBenito 31b7c0
uses_shlib(backup_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow backup_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow backup_t { file_type fs_type }:dir r_dir_perms;
Chris PeBenito 31b7c0
allow backup_t file_type:{ file lnk_file } r_file_perms;
Chris PeBenito 31b7c0
allow backup_t file_type:{ sock_file fifo_file } getattr;
Chris PeBenito 31b7c0
allow backup_t { device_t device_type ttyfile }:chr_file getattr;
Chris PeBenito 31b7c0
allow backup_t { device_t device_type }:blk_file getattr;
Chris PeBenito 31b7c0
allow backup_t var_t:file create_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow backup_t proc_t:dir r_dir_perms;
Chris PeBenito 31b7c0
allow backup_t proc_t:file r_file_perms;
Chris PeBenito 31b7c0
allow backup_t proc_t:lnk_file { getattr read };
Chris PeBenito 31b7c0
read_sysctl(backup_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow backup_t self:fifo_file rw_file_perms;
Chris PeBenito 31b7c0
allow backup_t self:process { signal sigchld fork };
Chris PeBenito 31b7c0
allow backup_t self:capability dac_override;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
rw_dir_file(backup_t, backup_store_t)
Chris PeBenito 31b7c0
allow backup_t backup_store_t:file { create setattr };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow backup_t fs_t:filesystem getattr;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow backup_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
can_exec(backup_t, bin_t)
Chris PeBenito 31b7c0
ifdef(`hostname.te', `can_exec(backup_t, hostname_exec_t)')