diff --git a/amanda.fc b/amanda.fc
index 967c1ef..7f4dfbc 100644
--- a/amanda.fc
+++ b/amanda.fc
@@ -1,26 +1,27 @@
-/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
-/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
-/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
-/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
+/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
+/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
# empty m4 string so the index macro is not invoked
-/etc/amanda/.*/index`'(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amanda/.*/index`'(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
-/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
-/usr/lib/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
-/usr/lib/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
+/usr/lib/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
-/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+/usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
-/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
-/var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
-/var/lib/amanda/[^/]*/log(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
+/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
+/var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+/var/lib/amanda/[^/]*/log(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
# the null string in here because index is a m4 builtin function
/var/lib/amanda/[^/]+/index`'(/.*)? gen_context(system_u:object_r:amanda_var_lib_t,s0)
-/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
+/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
diff --git a/amanda.if b/amanda.if
index 8498e97..ea4cdc7 100644
--- a/amanda.if
+++ b/amanda.if
@@ -40,11 +40,11 @@ interface(`amanda_domtrans_recover',`
#
interface(`amanda_run_recover',`
gen_require(`
- type amanda_recover_t;
+ attribute_role amanda_recover_roles;
')
amanda_domtrans_recover($1)
- role $2 types amanda_recover_t;
+ roleattribute $2 amanda_recover_roles;
')
########################################
@@ -81,7 +81,7 @@ interface(`amanda_dontaudit_read_dumpdates',`
type amanda_dumpdates_t;
')
- dontaudit $1 amanda_dumpdates_t:file { getattr read };
+ dontaudit $1 amanda_dumpdates_t:file read_file_perms;
')
########################################
@@ -124,7 +124,7 @@ interface(`amanda_manage_lib',`
########################################
##
-## Read and append amanda logs.
+## Read and append amanda log files.
##
##
##
diff --git a/amanda.te b/amanda.te
index d8b5abe..5db8308 100644
--- a/amanda.te
+++ b/amanda.te
@@ -1,14 +1,16 @@
-policy_module(amanda, 1.14.0)
+policy_module(amanda, 1.14.1)
#######################################
#
# Declarations
#
+attribute_role amanda_recover_roles;
+roleattribute system_r amanda_recover_roles;
+
type amanda_t;
type amanda_inetd_exec_t;
inetd_service_domain(amanda_t, amanda_inetd_exec_t)
-role system_r types amanda_t;
type amanda_exec_t;
domain_entry_file(amanda_t, amanda_exec_t)
@@ -43,7 +45,7 @@ files_type(amanda_data_t)
type amanda_recover_t;
type amanda_recover_exec_t;
application_domain(amanda_recover_t, amanda_recover_exec_t)
-role system_r types amanda_recover_t;
+role amanda_recover_roles types amanda_recover_t;
type amanda_recover_dir_t;
files_type(amanda_recover_dir_t)
@@ -54,16 +56,14 @@ optional_policy(`
########################################
#
-# Amanda local policy
+# Local policy
#
allow amanda_t self:capability { chown dac_override setuid kill };
allow amanda_t self:process { setpgid signal };
allow amanda_t self:fifo_file rw_fifo_file_perms;
-allow amanda_t self:unix_stream_socket create_stream_socket_perms;
-allow amanda_t self:unix_dgram_socket create_socket_perms;
-allow amanda_t self:tcp_socket create_stream_socket_perms;
-allow amanda_t self:udp_socket create_socket_perms;
+allow amanda_t self:unix_stream_socket { accept listen };
+allow amanda_t self:tcp_socket { accept listen };
allow amanda_t amanda_amandates_t:file rw_file_perms;
@@ -75,9 +75,6 @@ filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-can_exec(amanda_t, amanda_exec_t)
-can_exec(amanda_t, amanda_inetd_exec_t)
-
allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
@@ -87,14 +84,16 @@ manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
-logging_log_filetrans(amanda_t, amanda_log_t, { file dir })
+logging_log_filetrans(amanda_t, amanda_log_t, dir)
manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
-kernel_read_system_state(amanda_t)
+can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t })
+
kernel_read_kernel_sysctls(amanda_t)
+kernel_read_system_state(amanda_t)
kernel_dontaudit_getattr_unlabeled_files(amanda_t)
kernel_dontaudit_read_proc_symlinks(amanda_t)
@@ -113,6 +112,7 @@ corenet_tcp_sendrecv_all_ports(amanda_t)
corenet_udp_sendrecv_all_ports(amanda_t)
corenet_tcp_bind_generic_node(amanda_t)
corenet_udp_bind_generic_node(amanda_t)
+corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
corenet_dontaudit_tcp_bind_all_ports(amanda_t)
@@ -120,7 +120,6 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
-files_read_etc_files(amanda_t)
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
files_read_all_files(amanda_t)
@@ -144,15 +143,14 @@ logging_send_syslog_msg(amanda_t)
########################################
#
-# Amanda recover local policy
+# Recover local policy
#
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
-allow amanda_recover_t self:unix_stream_socket { connect create read write };
-allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
-allow amanda_recover_t self:udp_socket create_socket_perms;
+allow amanda_recover_t self:unix_stream_socket create_socket_perms;
+allow amanda_recover_t self:tcp_socket { accept listen };
manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
@@ -171,8 +169,8 @@ manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file })
-kernel_read_system_state(amanda_recover_t)
kernel_read_kernel_sysctls(amanda_recover_t)
+kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -187,16 +185,18 @@ corenet_tcp_sendrecv_all_ports(amanda_recover_t)
corenet_udp_sendrecv_all_ports(amanda_recover_t)
corenet_tcp_bind_generic_node(amanda_recover_t)
corenet_udp_bind_generic_node(amanda_recover_t)
+
+corenet_sendrecv_generic_server_packets(amanda_recover_t)
corenet_tcp_bind_reserved_port(amanda_recover_t)
-corenet_tcp_connect_amanda_port(amanda_recover_t)
+
corenet_sendrecv_amanda_client_packets(amanda_recover_t)
+corenet_tcp_connect_amanda_port(amanda_recover_t)
domain_use_interactive_fds(amanda_recover_t)
-files_read_etc_files(amanda_recover_t)
files_read_etc_runtime_files(amanda_recover_t)
-files_search_tmp(amanda_recover_t)
files_search_pids(amanda_recover_t)
+files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)