|
Chris PeBenito |
0fbfa5 |
#DESC Amanda - Automated backup program
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# This policy file sets the rigths for amanda client started by inetd_t
|
|
Chris PeBenito |
0fbfa5 |
# and amrecover
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: amanda-common amanda-server
|
|
Chris PeBenito |
0fbfa5 |
# Depends: inetd.te
|
|
Chris PeBenito |
0fbfa5 |
# Author : Carsten Grohmann <carstengrohmann@gmx.de>
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# License : GPL
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# last change: 27. August 2002
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# state : complete and tested
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Hints :
|
|
Chris PeBenito |
0fbfa5 |
# - amanda.fc is the appendant file context file
|
|
Chris PeBenito |
0fbfa5 |
# - If you use amrecover please extract the files and directories to the
|
|
Chris PeBenito |
0fbfa5 |
# directory speficified in amanda.fc as type amanda_recover_dir_t.
|
|
Chris PeBenito |
0fbfa5 |
# - The type amanda_user_exec_t is defined to label the files but not used.
|
|
Chris PeBenito |
0fbfa5 |
# This configuration works only as an client and a amanda client does not need
|
|
Chris PeBenito |
0fbfa5 |
# this programs.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Enhancements/Corrections:
|
|
Chris PeBenito |
0fbfa5 |
# - set tighter permissions to /bin/tar instead bin_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
##############################################################################
|
|
Chris PeBenito |
0fbfa5 |
# AMANDA CLIENT DECLARATIONS
|
|
Chris PeBenito |
0fbfa5 |
##############################################################################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# General declarations
|
|
Chris PeBenito |
0fbfa5 |
######################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type amanda_t, domain, privlog, auth, nscd_client_domain ;
|
|
Chris PeBenito |
0fbfa5 |
role system_r types amanda_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for the amanda executables
|
|
Chris PeBenito |
0fbfa5 |
type amanda_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for the amanda executables started by inetd
|
|
Chris PeBenito |
0fbfa5 |
type amanda_inetd_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for amanda configurations files
|
|
Chris PeBenito |
0fbfa5 |
type amanda_config_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for files in /usr/lib/amanda
|
|
Chris PeBenito |
0fbfa5 |
type amanda_usr_lib_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for all files in /var/lib/amanda
|
|
Chris PeBenito |
0fbfa5 |
type amanda_var_lib_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for all files in /var/lib/amanda/gnutar-lists/
|
|
Chris PeBenito |
0fbfa5 |
type amanda_gnutarlists_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for user startable files
|
|
Chris PeBenito |
0fbfa5 |
type amanda_user_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for same awk and other scripts
|
|
Chris PeBenito |
0fbfa5 |
type amanda_script_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for the shell configuration files
|
|
Chris PeBenito |
0fbfa5 |
type amanda_shellconfig_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(amanda)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for /etc/amandates
|
|
Chris PeBenito |
0fbfa5 |
type amanda_amandates_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for /etc/dumpdates
|
|
Chris PeBenito |
0fbfa5 |
type amanda_dumpdates_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for amanda data
|
|
Chris PeBenito |
0fbfa5 |
type amanda_data_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Domain transitions
|
|
Chris PeBenito |
0fbfa5 |
####################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
##################
|
|
Chris PeBenito |
0fbfa5 |
# File permissions
|
|
Chris PeBenito |
0fbfa5 |
##################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# configuration files -> read only
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t amanda_config_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t amanda_config_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to amanda_amandates_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t amanda_amandates_t:file { getattr lock read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to amanda_dumpdates_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to amandas data structure
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t amanda_data_t:dir { read search write };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t amanda_data_t:file { read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to proc_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t proc_t:dir { getattr search };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t proc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to etc_t and similar
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t etc_t:dir { getattr search };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t etc_runtime_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to var_t and similar
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t var_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t var_lib_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t amanda_var_lib_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t amanda_gnutarlists_t:dir { add_name read remove_name search write };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t amanda_gnutarlists_t:file { create getattr read rename setattr unlink write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to var_run_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t var_run_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to var_log_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t var_log_t:dir getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to var_spool_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t var_spool_t:dir getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to amanda_usr_lib_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t amanda_usr_lib_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to device_t and similar
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t device_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t null_device_t:chr_file { getattr read write };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t devpts_t:dir getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t fixed_disk_device_t:blk_file getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t removable_device_t:blk_file getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t devtty_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to boot_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t boot_t:dir getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to fs_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to sysctl_kernel_t ( proc/sys/kernel/* )
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(amanda_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#####################
|
|
Chris PeBenito |
0fbfa5 |
# process permissions
|
|
Chris PeBenito |
0fbfa5 |
#####################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow to use shared libs
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib(amanda_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow to execute a amanda executable file
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow to run a shell
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to bin_t (tar)
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t bin_t:file { execute execute_no_trans };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t self:capability { chown dac_override setuid };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t self:process { fork sigchld };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t self:unix_dgram_socket create;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
###################################
|
|
Chris PeBenito |
0fbfa5 |
# Network and process communication
|
|
Chris PeBenito |
0fbfa5 |
###################################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_network_server(amanda_t);
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(amanda_t);
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t self:fifo_file { getattr read write ioctl lock };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t self:unix_stream_socket { connect create read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
##########################
|
|
Chris PeBenito |
0fbfa5 |
# Communication with inetd
|
|
Chris PeBenito |
0fbfa5 |
##########################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t inetd_t:udp_socket { read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
###################
|
|
Chris PeBenito |
0fbfa5 |
# inetd permissions
|
|
Chris PeBenito |
0fbfa5 |
###################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow inetd_t amanda_usr_lib_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
########################
|
|
Chris PeBenito |
0fbfa5 |
# Access to to save data
|
|
Chris PeBenito |
0fbfa5 |
########################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to user_home_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t { user_home_dir_type user_home_type }:dir { search getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t user_home_type:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to file_t ( /floppy, /cdrom )
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t mnt_t:dir getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
###########
|
|
Chris PeBenito |
0fbfa5 |
# Dontaudit
|
|
Chris PeBenito |
0fbfa5 |
###########
|
|
Chris PeBenito |
0fbfa5 |
dontaudit amanda_t lost_found_t:dir { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
##############################################################################
|
|
Chris PeBenito |
0fbfa5 |
# AMANDA RECOVER DECLARATIONS
|
|
Chris PeBenito |
0fbfa5 |
##############################################################################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# General declarations
|
|
Chris PeBenito |
0fbfa5 |
######################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for amrecover
|
|
Chris PeBenito |
0fbfa5 |
type amanda_recover_t, domain;
|
|
Chris PeBenito |
0fbfa5 |
role sysadm_r types { amanda_recover_t amanda_recover_dir_t };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# exec types for amrecover
|
|
Chris PeBenito |
0fbfa5 |
type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# type for recover files ( restored data )
|
|
Chris PeBenito |
0fbfa5 |
type amanda_recover_dir_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# domain transsition
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# file type auto trans to write debug messages
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# amanda recover process permissions
|
|
Chris PeBenito |
0fbfa5 |
####################################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib(amanda_recover_t)
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t privfd:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# amrecover network and process communication
|
|
Chris PeBenito |
0fbfa5 |
#############################################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_network_server(amanda_recover_t);
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(amanda_recover_t);
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t self:fifo_file { getattr ioctl read write };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t self:unix_stream_socket { connect create read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# amrecover file permissions
|
|
Chris PeBenito |
0fbfa5 |
############################
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to etc_t and similar
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t etc_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t etc_runtime_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to amanda_recover_dir_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to var_t and var_run_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t var_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t var_run_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to proc_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t proc_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t proc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to sysctl_kernel_t
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(amanda_recover_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to dev_t and similar
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t device_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t devtty_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t null_device_t:chr_file { getattr write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to bin_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t bin_t:file { execute execute_no_trans };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to sysadm_home_t and sysadm_home_dir_t to start amrecover
|
|
Chris PeBenito |
0fbfa5 |
# in the sysadm home directory
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to use sysadm_tty_device_t (/dev/tty?)
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# access to amanda_tmp_t and tmp_t
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_recover_t tmp_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules to allow amanda to be run as a service in xinetd
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
type amanda_port_t, port_type;
|
|
Chris PeBenito |
0fbfa5 |
allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t file_type:dir {getattr read search };
|
|
Chris PeBenito |
0fbfa5 |
allow amanda_t file_type:file {getattr read };
|
|
Chris PeBenito |
0fbfa5 |
logdir_domain(amanda)
|
|
Chris PeBenito |
0fbfa5 |
|