This one makes an effort to check for syntax and that it actually compiles.
Signed-off-by: Matthew Ife <[email protected]>
---
:000000 100644 0000000... 5812689... A policy/modules/services/tgtd.fc
:000000 100644 0000000... d497936... A policy/modules/services/tgtd.if
:000000 100644 0000000... ca91b84... A policy/modules/services/tgtd.te
policy/modules/services/tgtd.fc | 3 ++
policy/modules/services/tgtd.if | 11 ++++++
policy/modules/services/tgtd.te | 70 +++++++++++++++++++++++++++++++++++++++
3 files changed, 84 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/tgtd.fc b/policy/modules/services/tgtd.fc
new file mode 100644
index 0000000..5812689
--- /dev/null
+++ b/policy/modules/services/tgtd.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t, s0)
+/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t, s0)
+/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t, s0)
diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if
new file mode 100644
index 0000000..d497936
--- /dev/null
+++ b/policy/modules/services/tgtd.if
@@ -0,0 +1,11 @@
+## <summary>Linux Target Framework Daemon.</summary>
+## <desc>
+## <p>
+## Linux target framework (tgt) aims to simplify various
+## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
+## and maintenance. Our key goals are the clean integration into
+## the scsi-mid layer and implementing a great portion of tgt
+## in user space.
+## </p>
+## </desc>
+
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
new file mode 100644
index 0000000..ca91b84
--- /dev/null
+++ b/policy/modules/services/tgtd.te
@@ -0,0 +1,70 @@
+policy_module(tgtd, 1.0.0)
+
+########################################
+#
+# TGTD personal declarations.
+#
+
+type tgtd_t;
+type tgtd_exec_t;
+init_daemon_domain(tgtd_t, tgtd_exec_t)
+
+type tgtd_initrc_exec_t;
+init_script_file(tgtd_initrc_exec_t)
+
+type tgtd_tmp_t;
+files_tmp_file(tgtd_tmp_t)
+
+type tgtd_tmpfs_t;
+files_tmpfs_file(tgtd_tmpfs_t)
+
+type tgtd_var_lib_t;
+files_type(tgtd_var_lib_t)
+
+########################################
+#
+# TGTD personal policy.
+#
+
+allow tgtd_t self:capability sys_resource;
+allow tgtd_t self:process { setrlimit signal };
+allow tgtd_t self:fifo_file rw_fifo_file_perms;
+allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow tgtd_t self:shm create_shm_perms;
+allow tgtd_t self:sem create_sem_perms;
+allow tgtd_t self:tcp_socket { create_socket_perms accept listen };
+allow tgtd_t self:udp_socket create_socket_perms;
+allow tgtd_t self:unix_dgram_socket create_socket_perms;
+
+manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)
+files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })
+
+manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
+fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
+
+manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
+
+corenet_all_recvfrom_netlabel(tgtd_t)
+corenet_all_recvfrom_unlabeled(tgtd_t)
+
+corenet_sendrecv_iscsi_server_packets(tgtd_t)
+
+corenet_tcp_bind_generic_node(tgtd_t)
+corenet_tcp_bind_iscsi_port(tgtd_t)
+
+corenet_tcp_sendrecv_generic_if(tgtd_t)
+corenet_tcp_sendrecv_generic_node(tgtd_t)
+
+corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+
+files_read_etc_files(tgtd_t)
+
+kernel_read_fs_sysctls(tgtd_t)
+
+logging_send_syslog_msg(tgtd_t)
+
+miscfiles_read_localization(tgtd_t)
+
+storage_getattr_fixed_disk_dev(tgtd_t)
--
1.6.2.5
On Wed, 2009-10-28 at 17:00 +0000, Matthew Ife wrote:
> This one makes an effort to check for syntax and that it actually compiles.
Merged.
> Signed-off-by: Matthew Ife <[email protected]>
> ---
> :000000 100644 0000000... 5812689... A policy/modules/services/tgtd.fc
> :000000 100644 0000000... d497936... A policy/modules/services/tgtd.if
> :000000 100644 0000000... ca91b84... A policy/modules/services/tgtd.te
> policy/modules/services/tgtd.fc | 3 ++
> policy/modules/services/tgtd.if | 11 ++++++
> policy/modules/services/tgtd.te | 70 +++++++++++++++++++++++++++++++++++++++
> 3 files changed, 84 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/services/tgtd.fc b/policy/modules/services/tgtd.fc
> new file mode 100644
> index 0000000..5812689
> --- /dev/null
> +++ b/policy/modules/services/tgtd.fc
> @@ -0,0 +1,3 @@
> +/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t, s0)
> +/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t, s0)
> +/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t, s0)
> diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if
> new file mode 100644
> index 0000000..d497936
> --- /dev/null
> +++ b/policy/modules/services/tgtd.if
> @@ -0,0 +1,11 @@
> +## <summary>Linux Target Framework Daemon.</summary>
> +## <desc>
> +## <p>
> +## Linux target framework (tgt) aims to simplify various
> +## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
> +## and maintenance. Our key goals are the clean integration into
> +## the scsi-mid layer and implementing a great portion of tgt
> +## in user space.
> +## </p>
> +## </desc>
> +
> diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
> new file mode 100644
> index 0000000..ca91b84
> --- /dev/null
> +++ b/policy/modules/services/tgtd.te
> @@ -0,0 +1,70 @@
> +policy_module(tgtd, 1.0.0)
> +
> +########################################
> +#
> +# TGTD personal declarations.
> +#
> +
> +type tgtd_t;
> +type tgtd_exec_t;
> +init_daemon_domain(tgtd_t, tgtd_exec_t)
> +
> +type tgtd_initrc_exec_t;
> +init_script_file(tgtd_initrc_exec_t)
> +
> +type tgtd_tmp_t;
> +files_tmp_file(tgtd_tmp_t)
> +
> +type tgtd_tmpfs_t;
> +files_tmpfs_file(tgtd_tmpfs_t)
> +
> +type tgtd_var_lib_t;
> +files_type(tgtd_var_lib_t)
> +
> +########################################
> +#
> +# TGTD personal policy.
> +#
> +
> +allow tgtd_t self:capability sys_resource;
> +allow tgtd_t self:process { setrlimit signal };
> +allow tgtd_t self:fifo_file rw_fifo_file_perms;
> +allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
> +allow tgtd_t self:shm create_shm_perms;
> +allow tgtd_t self:sem create_sem_perms;
> +allow tgtd_t self:tcp_socket { create_socket_perms accept listen };
> +allow tgtd_t self:udp_socket create_socket_perms;
> +allow tgtd_t self:unix_dgram_socket create_socket_perms;
> +
> +manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)
> +files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })
> +
> +manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
> +fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
> +
> +manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
> +manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
> +files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
> +
> +corenet_all_recvfrom_netlabel(tgtd_t)
> +corenet_all_recvfrom_unlabeled(tgtd_t)
> +
> +corenet_sendrecv_iscsi_server_packets(tgtd_t)
> +
> +corenet_tcp_bind_generic_node(tgtd_t)
> +corenet_tcp_bind_iscsi_port(tgtd_t)
> +
> +corenet_tcp_sendrecv_generic_if(tgtd_t)
> +corenet_tcp_sendrecv_generic_node(tgtd_t)
> +
> +corenet_tcp_sendrecv_iscsi_port(tgtd_t)
> +
> +files_read_etc_files(tgtd_t)
> +
> +kernel_read_fs_sysctls(tgtd_t)
> +
> +logging_send_syslog_msg(tgtd_t)
> +
> +miscfiles_read_localization(tgtd_t)
> +
> +storage_getattr_fixed_disk_dev(tgtd_t)
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150