From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 03 Nov 2009 09:26:01 -0500
Subject: [refpolicy] [ RETRY tgtd policy. 1/1] RESET tgtd daemon.
In-Reply-To: <20091028170003.GA22120@home.localdomain>
References: <20091028170003.GA22120@home.localdomain>
Message-ID: <1257258361.5178.112.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2009-10-28 at 17:00 +0000, Matthew Ife wrote:
> This one makes an effort to check for syntax and that it actually compiles.

Merged.

> Signed-off-by: Matthew Ife <deleriux@airattack-central.com>
> ---
> :000000 100644 0000000... 5812689... A	policy/modules/services/tgtd.fc
> :000000 100644 0000000... d497936... A	policy/modules/services/tgtd.if
> :000000 100644 0000000... ca91b84... A	policy/modules/services/tgtd.te
>  policy/modules/services/tgtd.fc |    3 ++
>  policy/modules/services/tgtd.if |   11 ++++++
>  policy/modules/services/tgtd.te |   70 +++++++++++++++++++++++++++++++++++++++
>  3 files changed, 84 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/services/tgtd.fc b/policy/modules/services/tgtd.fc
> new file mode 100644
> index 0000000..5812689
> --- /dev/null
> +++ b/policy/modules/services/tgtd.fc
> @@ -0,0 +1,3 @@
> +/etc/rc\.d/init\.d/tgtd		--	gen_context(system_u:object_r:tgtd_initrc_exec_t, s0)
> +/usr/sbin/tgtd			--	gen_context(system_u:object_r:tgtd_exec_t, s0)
> +/var/lib/tgtd(/.*)?			gen_context(system_u:object_r:tgtd_var_lib_t, s0)
> diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if
> new file mode 100644
> index 0000000..d497936
> --- /dev/null
> +++ b/policy/modules/services/tgtd.if
> @@ -0,0 +1,11 @@
> +## <summary>Linux Target Framework Daemon.</summary>
> +## <desc>
> +##      <p>
> +##	Linux target framework (tgt) aims to simplify various 
> +##	SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation 
> +##	and maintenance. Our key goals are the clean integration into 
> +##	the scsi-mid layer and implementing a great portion of tgt 
> +##	in user space.
> +##      </p>
> +## </desc>
> +
> diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
> new file mode 100644
> index 0000000..ca91b84
> --- /dev/null
> +++ b/policy/modules/services/tgtd.te
> @@ -0,0 +1,70 @@
> +policy_module(tgtd, 1.0.0)
> +
> +########################################
> +#
> +# TGTD personal declarations.
> +#
> +
> +type tgtd_t;
> +type tgtd_exec_t;
> +init_daemon_domain(tgtd_t, tgtd_exec_t)
> +
> +type tgtd_initrc_exec_t;
> +init_script_file(tgtd_initrc_exec_t)
> +
> +type tgtd_tmp_t;
> +files_tmp_file(tgtd_tmp_t)
> +
> +type tgtd_tmpfs_t;
> +files_tmpfs_file(tgtd_tmpfs_t)
> +
> +type tgtd_var_lib_t;
> +files_type(tgtd_var_lib_t)
> +
> +########################################
> +#
> +# TGTD personal policy.
> +#
> +
> +allow tgtd_t self:capability sys_resource;
> +allow tgtd_t self:process { setrlimit signal };
> +allow tgtd_t self:fifo_file rw_fifo_file_perms;
> +allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
> +allow tgtd_t self:shm create_shm_perms;
> +allow tgtd_t self:sem create_sem_perms;
> +allow tgtd_t self:tcp_socket { create_socket_perms accept listen };
> +allow tgtd_t self:udp_socket create_socket_perms;
> +allow tgtd_t self:unix_dgram_socket create_socket_perms;
> +
> +manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)
> +files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })
> +
> +manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
> +fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
> +
> +manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
> +manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
> +files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
> +
> +corenet_all_recvfrom_netlabel(tgtd_t)
> +corenet_all_recvfrom_unlabeled(tgtd_t)
> +
> +corenet_sendrecv_iscsi_server_packets(tgtd_t)
> +
> +corenet_tcp_bind_generic_node(tgtd_t)
> +corenet_tcp_bind_iscsi_port(tgtd_t)
> +
> +corenet_tcp_sendrecv_generic_if(tgtd_t)
> +corenet_tcp_sendrecv_generic_node(tgtd_t)
> +
> +corenet_tcp_sendrecv_iscsi_port(tgtd_t)
> +
> +files_read_etc_files(tgtd_t)
> +
> +kernel_read_fs_sysctls(tgtd_t)
> +
> +logging_send_syslog_msg(tgtd_t)
> +
> +miscfiles_read_localization(tgtd_t)
> +
> +storage_getattr_fixed_disk_dev(tgtd_t)


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150