+++ /dev/null
-# backup
-# label programs that do backups to other files on disk (IE a cron job that
-# calls tar) in backup_exec_t and label the directory for storing them as
-# backup_store_t, Debian uses /var/backups
-
-#/usr/local/bin/backup-script -- gen_context(system_u:object_r:backup_exec_t,s0)
-
-ifdef(`distro_debian',`
-/etc/cron.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0)
-/etc/cron.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0)
-')
-
-/var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0)
+++ /dev/null
-## <summary>System backup scripts</summary>
-
-########################################
-## <summary>
-## Execute backup in the backup domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`backup_domtrans',`
- gen_require(`
- type backup_t, backup_exec_t;
- ')
-
- domtrans_pattern($1, backup_exec_t, backup_t)
-')
-
-########################################
-## <summary>
-## Execute backup in the backup domain, and
-## allow the specified role the backup domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`backup_run',`
- gen_require(`
- type backup_t;
- ')
-
- backup_domtrans($1)
- role $2 types backup_t;
-')
+++ /dev/null
-policy_module(backup, 1.5.0)
-
-########################################
-#
-# Declarations
-#
-
-type backup_t;
-type backup_exec_t;
-domain_type(backup_t)
-domain_entry_file(backup_t, backup_exec_t)
-role system_r types backup_t;
-
-type backup_store_t;
-files_type(backup_store_t)
-
-########################################
-#
-# Local policy
-#
-
-allow backup_t self:capability dac_override;
-allow backup_t self:process signal;
-allow backup_t self:fifo_file rw_fifo_file_perms;
-allow backup_t self:tcp_socket create_socket_perms;
-allow backup_t self:udp_socket create_socket_perms;
-
-allow backup_t backup_store_t:file setattr;
-manage_files_pattern(backup_t, backup_store_t, backup_store_t)
-rw_files_pattern(backup_t, backup_store_t, backup_store_t)
-read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t)
-
-kernel_read_system_state(backup_t)
-kernel_read_kernel_sysctls(backup_t)
-
-corecmd_exec_bin(backup_t)
-corecmd_exec_shell(backup_t)
-
-corenet_all_recvfrom_unlabeled(backup_t)
-corenet_all_recvfrom_netlabel(backup_t)
-corenet_tcp_sendrecv_generic_if(backup_t)
-corenet_udp_sendrecv_generic_if(backup_t)
-corenet_raw_sendrecv_generic_if(backup_t)
-corenet_tcp_sendrecv_generic_node(backup_t)
-corenet_udp_sendrecv_generic_node(backup_t)
-corenet_raw_sendrecv_generic_node(backup_t)
-corenet_tcp_sendrecv_all_ports(backup_t)
-corenet_udp_sendrecv_all_ports(backup_t)
-corenet_tcp_connect_all_ports(backup_t)
-corenet_sendrecv_all_client_packets(backup_t)
-
-dev_getattr_all_blk_files(backup_t)
-dev_getattr_all_chr_files(backup_t)
-# for SSP
-dev_read_urand(backup_t)
-
-domain_use_interactive_fds(backup_t)
-
-files_read_all_files(backup_t)
-files_read_all_symlinks(backup_t)
-files_getattr_all_pipes(backup_t)
-files_getattr_all_sockets(backup_t)
-
-fs_getattr_xattr_fs(backup_t)
-fs_list_all(backup_t)
-
-auth_read_shadow(backup_t)
-
-logging_send_syslog_msg(backup_t)
-
-sysnet_read_config(backup_t)
-
-userdom_use_inherited_user_terminals(backup_t)
-
-optional_policy(`
- cron_system_entry(backup_t, backup_exec_t)
-')
-
-optional_policy(`
- hostname_exec(backup_t)
-')
-
-optional_policy(`
- nis_use_ypbind(backup_t)
-')
projects / people / stevee / selinux-policy.git / commitdiff
