Iscsi and tgtd patches from Dan Walsh.
This commit is contained in:
parent
939eaf2f13
commit
30496b1575
@ -9,3 +9,20 @@
|
|||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
## <summary>
|
||||||
|
## Allow read and write access to tgtd semaphores.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`tgtd_rw_semaphores',`
|
||||||
|
gen_require(`
|
||||||
|
type tgtd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 tgtd_t:sem rw_sem_perms;
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(tgtd, 1.0.0)
|
policy_module(tgtd, 1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -60,7 +60,7 @@ corenet_sendrecv_iscsi_server_packets(tgtd_t)
|
|||||||
|
|
||||||
files_read_etc_files(tgtd_t)
|
files_read_etc_files(tgtd_t)
|
||||||
|
|
||||||
storage_getattr_fixed_disk_dev(tgtd_t)
|
storage_manage_fixed_disk(tgtd_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(tgtd_t)
|
logging_send_syslog_msg(tgtd_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
||||||
|
/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
||||||
|
|
||||||
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
|
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
|
||||||
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
|
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
|
||||||
|
/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
|
||||||
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
|
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(iscsi, 1.6.1)
|
policy_module(iscsi, 1.6.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -14,6 +14,9 @@ init_daemon_domain(iscsid_t, iscsid_exec_t)
|
|||||||
type iscsi_lock_t;
|
type iscsi_lock_t;
|
||||||
files_lock_file(iscsi_lock_t)
|
files_lock_file(iscsi_lock_t)
|
||||||
|
|
||||||
|
type iscsi_log_t;
|
||||||
|
logging_log_file(iscsi_log_t)
|
||||||
|
|
||||||
type iscsi_tmp_t;
|
type iscsi_tmp_t;
|
||||||
files_tmp_file(iscsi_tmp_t)
|
files_tmp_file(iscsi_tmp_t)
|
||||||
|
|
||||||
@ -36,15 +39,21 @@ allow iscsid_t self:unix_dgram_socket create_socket_perms;
|
|||||||
allow iscsid_t self:sem create_sem_perms;
|
allow iscsid_t self:sem create_sem_perms;
|
||||||
allow iscsid_t self:shm create_shm_perms;
|
allow iscsid_t self:shm create_shm_perms;
|
||||||
allow iscsid_t self:netlink_socket create_socket_perms;
|
allow iscsid_t self:netlink_socket create_socket_perms;
|
||||||
|
allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
|
allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||||
allow iscsid_t self:tcp_socket create_stream_socket_perms;
|
allow iscsid_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
can_exec(iscsid_t, iscsid_exec_t)
|
||||||
|
|
||||||
manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
|
manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
|
||||||
files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
|
files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
|
||||||
|
|
||||||
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
|
manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
|
||||||
allow iscsid_t iscsi_tmp_t:file manage_file_perms;
|
logging_log_filetrans(iscsid_t, iscsi_log_t, file)
|
||||||
fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file )
|
|
||||||
|
manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
|
||||||
|
manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
|
||||||
|
fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } )
|
||||||
|
|
||||||
allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
|
allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
|
||||||
read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
|
read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
|
||||||
@ -54,8 +63,8 @@ files_search_var_lib(iscsid_t)
|
|||||||
manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
|
manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
|
||||||
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
|
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
|
||||||
|
|
||||||
|
kernel_read_network_state(iscsid_t)
|
||||||
kernel_read_system_state(iscsid_t)
|
kernel_read_system_state(iscsid_t)
|
||||||
kernel_search_debugfs(iscsid_t)
|
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(iscsid_t)
|
corenet_all_recvfrom_unlabeled(iscsid_t)
|
||||||
corenet_all_recvfrom_netlabel(iscsid_t)
|
corenet_all_recvfrom_netlabel(iscsid_t)
|
||||||
@ -67,13 +76,21 @@ corenet_tcp_connect_iscsi_port(iscsid_t)
|
|||||||
corenet_tcp_connect_isns_port(iscsid_t)
|
corenet_tcp_connect_isns_port(iscsid_t)
|
||||||
|
|
||||||
dev_rw_sysfs(iscsid_t)
|
dev_rw_sysfs(iscsid_t)
|
||||||
|
dev_rw_userio_dev(iscsid_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(iscsid_t)
|
domain_use_interactive_fds(iscsid_t)
|
||||||
|
domain_dontaudit_read_all_domains_state(iscsid_t)
|
||||||
|
|
||||||
files_read_etc_files(iscsid_t)
|
files_read_etc_files(iscsid_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(iscsid_t)
|
|
||||||
|
|
||||||
auth_use_nsswitch(iscsid_t)
|
auth_use_nsswitch(iscsid_t)
|
||||||
|
|
||||||
|
init_stream_connect_script(iscsid_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(iscsid_t)
|
||||||
|
|
||||||
miscfiles_read_localization(iscsid_t)
|
miscfiles_read_localization(iscsid_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tgtd_rw_semaphores(iscsid_t)
|
||||||
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user