On 10/28/2009 09:49 AM, Matthew Ife wrote:
> On Wed, 2009-10-28 at 09:43 -0400, Daniel J Walsh wrote:
>> On 10/28/2009 09:28 AM, Matthew Ife wrote:
>>> Tgtd is a iscsi target daemon for linux. Its eventually going to also do
>>> FCoE but currently doesnt.
>>>
>>> Heres my policy for it. It needs some cleanup and i've not tested it
>>> with proper fixed disk devices. I assume the kernel actually does most
>>> of the read/write of the devices itself so the block device access i've
>>> given the daemon is minimal.
>>>
>>> Any feedback appreciated.
>>>
>>>
>>>
>>>
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@xxxxxxxxxx
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Better off sending policy to the refpolicy list
>
> Done
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
Here is my fixes for your policy.
##
/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t, s0)
/etc/tgt(/.*)? gen_context(system_u:object_r:tgtd_etc_t, s0)
/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t, s0)
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t, s0)
## <summary>Tgtd shared policy module.</summary>
########################################
## <summary>
## Allowed to read target configuration files
## </summary>
## <desc>
## <p>
## Read the tgtd conf files
## </p>
## </desc>
## <param name="source_domain">
## <summary>
## Type of domain allowed access
## </summary>
## </param>
#
interface(`tgtd_read_config_files',`
gen_require(`
type tgtd_etc_t;
')
read_files_pattern($1, tgtd_etc_t, tgtd_etc_t)
')
########################################
## <summary>
## Allowed to write target configuration files
## </summary>
## <desc>
## <p>
## Read and write the tgtd conf files
## </p>
## </desc>
## <param name="source_domain">
## <summary>
## Type of domain allowed access
## </summary>
## </param>
#
interface(`tgtd_rw_config_files',`
gen_require(`
type tgtd_etc_t;
')
manage_files_pattern($1, tgtd_etc_t, tgtd_etc_t)
manage_dirs_pattern($1, tgtd_etc_t, tgtd_etc_t)
filetrans_pattern($1, tgtd_etc_t, tgtd_etc_t, { dir file} )
')
## <summary>
## Allowed to read var_lib files
## </summary>
## <desc>
## <p>
## Read the tgtd var_lib files
## </p>
## </desc>
## <param name="source_domain">
## <summary>
## Type of domain allowed access
## </summary>
## </param>
#
interface(`tgtd_read_var_lib_files',`
gen_require(`
type tgtd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, tgtd_var_lib_t, tgtd_var_lib_t)
')
########################################
## <summary>
## Allowed to manage tgtd var lib files
## </summary>
## <desc>
## <p>
## Read and write the tgtd var lib files
## </p>
## </desc>
## <param name="source_domain">
## <summary>
## Type of domain allowed access
## </summary>
## </param>
#
interface(`tgtd_manage_var_lib',`
gen_require(`
type tgtd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, tgtd_var_lib_t, tgtd_var_lib_t)
manage_dirs_pattern($1, tgtd_var_lib_t, tgtd_var_lib_t)
manage_sock_files_pattern($1, tgtd_var_lib_t, tgtd_var_lib_t)
')
########################################
## <summary>
## Allowed to domain to connecto to tgtd
## </summary>
## <desc>
## <p>
## Connect to target daemon
## </p>
## </desc>
## <param name="source_domain">
## <summary>
## Type of domain allowed access
## </summary>
## </param>
#
interface(`tgtd_stream_connect',`
gen_require(`
type tgtd_t, tgtd_var_lib_t;
')
stream_connect_pattern($1, tgtd_var_lib_t, tgtd_var_lib_t, tgtd_t)
')
policy_module(tgtd,1.0.0)
type tgtd_t;
type tgtd_exec_t;
init_daemon_domain(tgtd_t, tgtd_exec_t)
type tgtd_var_lib_t;
files_type(tgtd_var_lib_t)
type tgtd_etc_t;
files_config_file(tgtd_etc_t)
type tgtd_initrc_exec_t;
init_script_file(tgtd_initrc_exec_t)
type tgtd_tmp_t;
files_tmp_file(tgtd_tmp_t)
########################################
#
# tgtd script local policy
#
allow tgtd_t self:capability sys_resource;
allow tgtd_t self:fifo_file { read write };
allow tgtd_t self:netlink_route_socket r_netlink_socket_perms;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:shm create_shm_prems;
allow tgtd_t self:tcp_socket create_stream_socket_perms;
allow tgtd_t self:udp_socket create_socket_perms;
allow tgtd_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(tgtd_t, tmp_t, tgtd_tmp_t)
manage_files_pattern(tgtd_t, tmp_t, tgtd_tmp_t)
manage_sock_files_pattern(tgtd_t, tmp_t, tgtd_tmp_t)
filetrans_pattern(tgtd_t, tmp_t, tgtd_tmp_t, { dir file sock_file })
kernel_read_fs_sysctls(tgtd_t)
corenet_all_recvfrom_netlabel(tgtd_t)
corenet_all_recvfrom_unlabeled(tgtd_t)
corenet_tcp_bind_generic_node(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)
corenet_tcp_sendrecv_iscsi_port(tgtd_t)
# Probably need tgtd_tmpfs_t
fs_rw_tmpfs_files(tgtd_t)
fs_associate_tmpfs(tgtd_t)
storage_getattr_fixed_disk_dev(tgtd_t)
logging_send_syslog_msg(tgtd_t)
# Are you sure it needs this or just read?
miscfiles_rw_localization(tgtd_t)
tgtd_read_config_files(tgtd_t)
tgtd_manage_var_lib(tgtd_t)
#This should not be here, probably whatever process is running initrc_t needs its own policy.
require { type initrc_t; }
allow tgtd_t initrc_t:sem rw_shm_perms;
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
