[people/stevee/selinux-policy.git] / policy / modules / admin / backup.te

policy_module(backup, 1.5.0)

########################################
#
# Declarations
#

type backup_t;
type backup_exec_t;
domain_type(backup_t)
domain_entry_file(backup_t, backup_exec_t)
role system_r types backup_t;

type backup_store_t;
files_type(backup_store_t)

########################################
#
# Local policy
#

allow backup_t self:capability dac_override;
allow backup_t self:process signal;
allow backup_t self:fifo_file rw_fifo_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
allow backup_t self:udp_socket create_socket_perms;

allow backup_t backup_store_t:file setattr;
manage_files_pattern(backup_t, backup_store_t, backup_store_t)
rw_files_pattern(backup_t, backup_store_t, backup_store_t)
read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t)

kernel_read_system_state(backup_t)
kernel_read_kernel_sysctls(backup_t)

corecmd_exec_bin(backup_t)
corecmd_exec_shell(backup_t)

corenet_all_recvfrom_unlabeled(backup_t)
corenet_all_recvfrom_netlabel(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
corenet_udp_sendrecv_generic_if(backup_t)
corenet_raw_sendrecv_generic_if(backup_t)
corenet_tcp_sendrecv_generic_node(backup_t)
corenet_udp_sendrecv_generic_node(backup_t)
corenet_raw_sendrecv_generic_node(backup_t)
corenet_tcp_sendrecv_all_ports(backup_t)
corenet_udp_sendrecv_all_ports(backup_t)
corenet_tcp_connect_all_ports(backup_t)
corenet_sendrecv_all_client_packets(backup_t)

dev_getattr_all_blk_files(backup_t)
dev_getattr_all_chr_files(backup_t)
# for SSP
dev_read_urand(backup_t)

domain_use_interactive_fds(backup_t)

files_read_all_files(backup_t)
files_read_all_symlinks(backup_t)
files_getattr_all_pipes(backup_t)
files_getattr_all_sockets(backup_t)

fs_getattr_xattr_fs(backup_t)
fs_list_all(backup_t)

auth_read_shadow(backup_t)

logging_send_syslog_msg(backup_t)

sysnet_read_config(backup_t)

userdom_use_inherited_user_terminals(backup_t)

optional_policy(`
	cron_system_entry(backup_t, backup_exec_t)
')

optional_policy(`
	hostname_exec(backup_t)
')

optional_policy(`
	nis_use_ypbind(backup_t)
')
Commit	Line	Data
9570b288	1	policy_module(backup, 1.5.0)
57f233b0 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type backup_t;
	9	type backup_exec_t;
	10	domain_type(backup_t)
0bfccda4	11	domain_entry_file(backup_t, backup_exec_t)
57f233b0 CP	12	role system_r types backup_t;
	13
	14	type backup_store_t;
	15	files_type(backup_store_t)
	16
	17	########################################
	18	#
	19	# Local policy
	20	#
	21
	22	allow backup_t self:capability dac_override;
	23	allow backup_t self:process signal;
c0868a7a	24	allow backup_t self:fifo_file rw_fifo_file_perms;
57f233b0 CP	25	allow backup_t self:tcp_socket create_socket_perms;
	26	allow backup_t self:udp_socket create_socket_perms;
	27
c0868a7a	28	allow backup_t backup_store_t:file setattr;
0bfccda4 CP	29	manage_files_pattern(backup_t, backup_store_t, backup_store_t)
	30	rw_files_pattern(backup_t, backup_store_t, backup_store_t)
	31	read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t)
57f233b0 CP	32
	33	kernel_read_system_state(backup_t)
	34	kernel_read_kernel_sysctls(backup_t)
	35
	36	corecmd_exec_bin(backup_t)
45b56b01	37	corecmd_exec_shell(backup_t)
57f233b0	38
19006686 CP	39	corenet_all_recvfrom_unlabeled(backup_t)
19006686 CP	40	corenet_all_recvfrom_netlabel(backup_t)
57f233b0 CP	41	corenet_tcp_sendrecv_generic_if(backup_t)
	42	corenet_udp_sendrecv_generic_if(backup_t)
	43	corenet_raw_sendrecv_generic_if(backup_t)
c1262146 CP	44	corenet_tcp_sendrecv_generic_node(backup_t)
	45	corenet_udp_sendrecv_generic_node(backup_t)
	46	corenet_raw_sendrecv_generic_node(backup_t)
57f233b0 CP	47	corenet_tcp_sendrecv_all_ports(backup_t)
57f233b0 CP	48	corenet_udp_sendrecv_all_ports(backup_t)
57f233b0	49	corenet_tcp_connect_all_ports(backup_t)
9d0c9b3e	50	corenet_sendrecv_all_client_packets(backup_t)
57f233b0 CP	51
	52	dev_getattr_all_blk_files(backup_t)
	53	dev_getattr_all_chr_files(backup_t)
	54	# for SSP
	55	dev_read_urand(backup_t)
	56
	57	domain_use_interactive_fds(backup_t)
	58
	59	files_read_all_files(backup_t)
	60	files_read_all_symlinks(backup_t)
	61	files_getattr_all_pipes(backup_t)
	62	files_getattr_all_sockets(backup_t)
	63
	64	fs_getattr_xattr_fs(backup_t)
	65	fs_list_all(backup_t)
	66
	67	auth_read_shadow(backup_t)
	68
57f233b0 CP	69	logging_send_syslog_msg(backup_t)
	70
	71	sysnet_read_config(backup_t)
	72
af2d8802	73	userdom_use_inherited_user_terminals(backup_t)
296273a7	74
57f233b0	75	optional_policy(`
0bfccda4	76	cron_system_entry(backup_t, backup_exec_t)
57f233b0 CP	77	')
	78
	79	optional_policy(`
	80	hostname_exec(backup_t)
	81	')
	82
	83	optional_policy(`
	84	nis_use_ypbind(backup_t)
	85	')