Currently there is no SELinux policy module for the app-backup/bacula package. The attached files and patch are my proposal for providing this policy.
Created attachment 297125 [details, diff] Patch for sysadm role to allow execution of user interface
Created attachment 297127 [details] File context for new policy
Created attachment 297129 [details] interface file for new policy
Created attachment 297131 [details] Type enforcement file for new policy
Looking good. Okay if I sent these upstream so that the guys from the reference policy can take a look? I'm not fully confident that the admin interface is correct (with which I mean that the name and its content match the refpolicy ideas), but I need to look into that a bit deeper first (I'm not sufficiently confident with my interface naming skills ;)
Yes, send them up. I'm not confident that I got everything right either, but if it's not hopefully a tweak or two can straighten it out. Good to hear the first set of eyes that looked at it didn't find anything glaringly stupid. ;) All I can say at this point is "it works for me". I did try to copy things I saw in the base refpolicy interfaces, but that doesn't mean that styles and guidelines haven't changed and what I was looking at hadn't been updated.
Okay, had a further look at it and suggest the following changes (will also be those that I sent up if okay): - bacula_pidfile_t is better named bacula_var_run_t as that matches the naming convention more properly - bacula_conf_t seems not needed, as it is only used for reading, and you already grant etc read access to the application. Having a specific configuration file is usually when it contains private information or when the application needs write access (or you need to define an interface for write access). For now, having it stay an etc_t should suffice, not? - I'll be marking bacula_admin_t as an application_domain() - I'll separate bacula_t and bacula_admin_t rules in the .te file Before pushing up, I'll attach them here for your convenience
Created attachment 297233 [details] Type Enforcement (bacula.te)
Created attachment 297235 [details] Interfaces (bacula.if)
Created attachment 297237 [details] File Contexts (bacula.fc)
Agreed, it should suffice to have the bacula_conf_t remain as an etc_t. I was just trying to be thourough and didn't really understand the criteria for seperating out a conf type. Although I noticed that you still left the bacula_conf_t in the file context -- might want to go ahead and clean that up.
On further looking, the bacula-dir.conf file DOES contain private info. It holds the password for the bacula user in the mysql database. That would warrant keeping it locked down, correct?
In that case, yes - best is to have a bacula_etc_t type then.
selinux-bacula-2.20110726 is now in hardened-dev overlay It should include the bacula_etc_t information as well. Can you please stop (all) bacula processes, unload your personal module, install selinux-bacula, relabel your system (rlpkg -a -r) and try starting it again? Since the module uses naming schemes you had in your module too it is possbile that you have collisions. In that case you'll need to "undo" your changes before installing.
Yes, I'll be glad to do that. However, just FYI, it will probably be Monday or Tuesday before it happens.
At first look everything seems to be OK. I'll let the jobs run overnight and do a little more testing tomorrow.
Everything seems to be working fine here.
Pushed to main tree, ~arch
Marked as stable in tree