[refpolicy] [Fwd: Re: Tgtd policy]

From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [Fwd: Re: Tgtd policy]
Date: Wed, 28 Oct 2009 15:16:27 +0100	[thread overview]
Message-ID: <1256739387.10139.2.camel@localhost> (raw)
In-Reply-To: <1256738209.20466.3.camel@home.localdomain>

On Wed, 2009-10-28 at 13:56 +0000, Matthew Ife wrote:

I removed the tgtd_config_t since its not installed by the package and
not strictly required unless it has a password or anything secret in it.

I also made tgtd_t a permissive domain for now so that you can test it.

It may require additional permission for "self".

Attached:

> email message attachment, "Forwarded message - Re: Tgtd policy"
> > -------- Forwarded Message --------
> > From: Daniel J Walsh <dwalsh@redhat.com>
> > To: Matthew Ife <deleriux@airattack-central.com>
> > Cc: fedora-selinux-list at redhat.com
> > Subject: Re: Tgtd policy
> > Date: Wed, 28 Oct 2009 09:43:28 -0400
> > 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------

policy_module(tgtd, 1.0.0)

########################################
#
# TGTD personal declarations.
#

type tgtd_t;
type tgtd_exec_t;
init_daemon_domain(tgtd_t, tgtd_exec_t)

type tgtd_initrc_exec_t;
init_script_file(tgtd_initrc_exec_t)

type tgtd_tmp_t;
files_tmp_file(tgtd_tmp_t)

type tgtd_tmpfs_t;
files_tmpfs_file(tgtd_tmpfs_t)

type tgtd_var_lib_t;
files_type(tgtd_data_t)

permissive tgtd_t;

########################################
#
# TGTD personal policy.
#

allow tgtd_t self:capability sys_resource;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
allow tgtd_t self:shm create_shm_perms;
allow tgtd_t self:tcp_socket { create_socket_perms listen };
allow tgtd_t self:udp_socket create_socket_perms;
allow tgtd_t self:unix_dgram_socket create_socket_perms;

manage_dirs_pattern(tgtd_t, tmp_t, tgtd_tmp_t)
manage_files_pattern(tgtd_t, tmp_t, tgtd_tmp_t)
manage_sock_files_pattern(tgtd_t, tmp_t, tgtd_tmp_t)
files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { dir file sock_file })

manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)

manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })

corenet_all_recvfrom_netlabel(tgtd_t)
corenet_all_recvfrom_unlabeled(tgtd_t)

corenet_sendrecv_iscsi_server_packets(tgtd_t)

corenet_tcp_sendrecv_generic_if(tgtd_t)
corenet_tcp_sendrecv_generic_node(tgtd_t)

corenet_tcp_bind_generic_node(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)

corenet_tcp_sendrecv_iscsi_port(tgtd_t)

files_read_etc_files(tgtd_t)

kernel_read_fs_sysctls(tgtd_t)

logging_send_syslog_msg(tgtd_t)

miscfiles_read_localization(tgtd_t)

storage_getattr_fixed_disk_dev(tgtd_t)

-------------- next part --------------
## <summary>Linux Target Framework Daemon.</summary>
## <desc>
##      <p>
##	Linux target framework (tgt) aims to simplify various 
##	SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation 
##	and maintenance. Our key goals are the clean integration into 
##	the scsi-mid layer and implementing a great portion of tgt 
##	in user space.
##      </p>
## </desc>

-------------- next part --------------
/etc/rc\.d/init\.d/tgtd		--	gen_context(system_u:object_r:tgtd_initrc_exec_t, s0)
/usr/sbin/tgtd			--	gen_context(system_u:object_r:tgtd_exec_t, s0)
/var/lib/tgtd(/.*)?			gen_context(system_u:object_r:tgtd_var_lib_t, s0)