Blob Blame History Raw
#DESC Backup - Backup scripts
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: dpkg
#

#################################
#
# Rules for the backup_t domain.
#
type backup_t, domain, privlog, auth;
type backup_exec_t, file_type, sysadmfile, exec_type;

type backup_store_t, file_type, sysadmfile;

role system_r types backup_t;
role sysadm_r types backup_t;

domain_auto_trans(sysadm_t, backup_exec_t, backup_t)
allow backup_t privfd:fd use;
ifdef(`crond.te', `
system_crond_entry(backup_exec_t, backup_t)
rw_dir_create_file(system_crond_t, backup_store_t)
')

# for SSP
allow backup_t urandom_device_t:chr_file read;

can_network_client(backup_t)
can_ypbind(backup_t)
uses_shlib(backup_t)

allow backup_t devtty_t:chr_file rw_file_perms;

allow backup_t { file_type fs_type }:dir r_dir_perms;
allow backup_t file_type:{ file lnk_file } r_file_perms;
allow backup_t file_type:{ sock_file fifo_file } getattr;
allow backup_t { device_t device_type ttyfile }:chr_file getattr;
allow backup_t { device_t device_type }:blk_file getattr;
allow backup_t var_t:file create_file_perms;

allow backup_t proc_t:dir r_dir_perms;
allow backup_t proc_t:file r_file_perms;
allow backup_t proc_t:lnk_file { getattr read };
read_sysctl(backup_t)

allow backup_t self:fifo_file rw_file_perms;
allow backup_t self:process { signal sigchld fork };
allow backup_t self:capability dac_override;

rw_dir_file(backup_t, backup_store_t)
allow backup_t backup_store_t:file { create setattr };

allow backup_t fs_t:filesystem getattr;

allow backup_t self:unix_stream_socket create_socket_perms;

can_exec(backup_t, bin_t)
ifdef(`hostname.te', `can_exec(backup_t, hostname_exec_t)')