diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index 29d7835..d67f5f9 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -1,5 +1,5 @@ -policy_module(amanda,1.5.1) +policy_module(amanda,1.5.2) ####################################### # @@ -70,7 +70,7 @@ optional_policy(` allow amanda_t self:capability { chown dac_override setuid kill }; allow amanda_t self:process { setpgid signal }; -allow amanda_t self:fifo_file { getattr read write ioctl lock }; +allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:unix_stream_socket create_stream_socket_perms; allow amanda_t self:unix_dgram_socket create_socket_perms; allow amanda_t self:tcp_socket create_stream_socket_perms; @@ -85,18 +85,22 @@ allow amanda_t amanda_config_t:file { getattr read }; # access to amandas data structure allow amanda_t amanda_data_t:dir { read search write }; -allow amanda_t amanda_data_t:file { read write }; +allow amanda_t amanda_data_t:file manage_file_perms; # access to amanda_dumpdates_t allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; can_exec(amanda_t,amanda_exec_t) +can_exec(amanda_t,amanda_inetd_exec_t) # access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; allow amanda_t amanda_gnutarlists_t:file manage_file_perms; allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms; +manage_dirs_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t) +manage_files_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t) + manage_files_pattern(amanda_t,amanda_log_t,amanda_log_t) manage_dirs_pattern(amanda_t,amanda_log_t,amanda_log_t) logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })