9461b60657
Remove permissive domain from cmirrord and dontaudit sys_tty_config Split out unconfined_domain() calls from other unconfined_ calls so we can disable unconfined.pp and leave unconfineduser virt needs to be able to read processes to clearance for MLS
75 lines
1.9 KiB
Plaintext
75 lines
1.9 KiB
Plaintext
policy_module(tgtd, 1.1.0)
|
|
|
|
########################################
|
|
#
|
|
# TGTD personal declarations.
|
|
#
|
|
|
|
type tgtd_t;
|
|
type tgtd_exec_t;
|
|
init_daemon_domain(tgtd_t, tgtd_exec_t)
|
|
|
|
type tgtd_initrc_exec_t;
|
|
init_script_file(tgtd_initrc_exec_t)
|
|
|
|
type tgtd_tmp_t;
|
|
files_tmp_file(tgtd_tmp_t)
|
|
|
|
type tgtd_tmpfs_t;
|
|
files_tmpfs_file(tgtd_tmpfs_t)
|
|
|
|
type tgtd_var_lib_t;
|
|
files_type(tgtd_var_lib_t)
|
|
|
|
########################################
|
|
#
|
|
# TGTD personal policy.
|
|
#
|
|
|
|
allow tgtd_t self:capability sys_resource;
|
|
allow tgtd_t self:process { setrlimit signal };
|
|
allow tgtd_t self:fifo_file rw_fifo_file_perms;
|
|
allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
|
allow tgtd_t self:shm create_shm_perms;
|
|
allow tgtd_t self:sem create_sem_perms;
|
|
allow tgtd_t self:tcp_socket create_stream_socket_perms;
|
|
allow tgtd_t self:udp_socket create_socket_perms;
|
|
allow tgtd_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)
|
|
files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })
|
|
|
|
manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
|
|
fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
|
|
|
|
manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
|
|
manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
|
|
files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
|
|
|
|
kernel_read_fs_sysctls(tgtd_t)
|
|
|
|
corenet_all_recvfrom_netlabel(tgtd_t)
|
|
corenet_all_recvfrom_unlabeled(tgtd_t)
|
|
corenet_tcp_sendrecv_generic_if(tgtd_t)
|
|
corenet_tcp_sendrecv_generic_node(tgtd_t)
|
|
corenet_tcp_sendrecv_iscsi_port(tgtd_t)
|
|
corenet_tcp_bind_generic_node(tgtd_t)
|
|
corenet_tcp_bind_iscsi_port(tgtd_t)
|
|
corenet_sendrecv_iscsi_server_packets(tgtd_t)
|
|
|
|
dev_search_sysfs(tgtd_t)
|
|
|
|
files_read_etc_files(tgtd_t)
|
|
|
|
fs_read_anon_inodefs_files(tgtd_t)
|
|
|
|
storage_manage_fixed_disk(tgtd_t)
|
|
|
|
logging_send_syslog_msg(tgtd_t)
|
|
|
|
miscfiles_read_localization(tgtd_t)
|
|
|
|
optional_policy(`
|
|
iscsi_manage_semaphores(tgtd_t)
|
|
')
|