1 |
commit: aec7fe65c4b3c63438570f4e00109787fc3a1a0f |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Oct 29 12:06:45 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Mon Oct 29 14:51:32 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=aec7fe65 |
7 |
|
8 |
Changes to the tgtd policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/tgtd.fc | 4 ++ |
16 |
policy/modules/contrib/tgtd.if | 78 ++++++++++++++++++++++++++++++++++------ |
17 |
policy/modules/contrib/tgtd.te | 33 +++++++++++++---- |
18 |
3 files changed, 96 insertions(+), 19 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/tgtd.fc b/policy/modules/contrib/tgtd.fc |
21 |
index 0ce7e61..38389e6 100644 |
22 |
--- a/policy/modules/contrib/tgtd.fc |
23 |
+++ b/policy/modules/contrib/tgtd.fc |
24 |
@@ -1,3 +1,7 @@ |
25 |
/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) |
26 |
+ |
27 |
/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) |
28 |
+ |
29 |
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) |
30 |
+ |
31 |
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) |
32 |
|
33 |
diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if |
34 |
index c2ed23a..5406b6e 100644 |
35 |
--- a/policy/modules/contrib/tgtd.if |
36 |
+++ b/policy/modules/contrib/tgtd.if |
37 |
@@ -1,17 +1,8 @@ |
38 |
## <summary>Linux Target Framework Daemon.</summary> |
39 |
-## <desc> |
40 |
-## <p> |
41 |
-## Linux target framework (tgt) aims to simplify various |
42 |
-## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation |
43 |
-## and maintenance. Our key goals are the clean integration into |
44 |
-## the scsi-mid layer and implementing a great portion of tgt |
45 |
-## in user space. |
46 |
-## </p> |
47 |
-## </desc> |
48 |
|
49 |
##################################### |
50 |
## <summary> |
51 |
-## Allow read and write access to tgtd semaphores. |
52 |
+## Read and write tgtd semaphores. |
53 |
## </summary> |
54 |
## <param name="domain"> |
55 |
## <summary> |
56 |
@@ -29,7 +20,8 @@ interface(`tgtd_rw_semaphores',` |
57 |
|
58 |
###################################### |
59 |
## <summary> |
60 |
-## Manage tgtd sempaphores. |
61 |
+## Create, read, write, and delete |
62 |
+## tgtd sempaphores. |
63 |
## </summary> |
64 |
## <param name="domain"> |
65 |
## <summary> |
66 |
@@ -44,3 +36,67 @@ interface(`tgtd_manage_semaphores',` |
67 |
|
68 |
allow $1 tgtd_t:sem create_sem_perms; |
69 |
') |
70 |
+ |
71 |
+###################################### |
72 |
+## <summary> |
73 |
+## Connect to tgtd with a unix |
74 |
+## domain stream socket. |
75 |
+## </summary> |
76 |
+## <param name="domain"> |
77 |
+## <summary> |
78 |
+## Domain allowed access. |
79 |
+## </summary> |
80 |
+## </param> |
81 |
+# |
82 |
+interface(`tgtd_stream_connect',` |
83 |
+ gen_require(` |
84 |
+ type tgtd_t, tgtd_var_run_t; |
85 |
+ ') |
86 |
+ |
87 |
+ files_search_pids($1) |
88 |
+ stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t) |
89 |
+') |
90 |
+ |
91 |
+######################################## |
92 |
+## <summary> |
93 |
+## All of the rules required to |
94 |
+## administrate an tgtd environment. |
95 |
+## </summary> |
96 |
+## <param name="domain"> |
97 |
+## <summary> |
98 |
+## Domain allowed access. |
99 |
+## </summary> |
100 |
+## </param> |
101 |
+## <param name="role"> |
102 |
+## <summary> |
103 |
+## Role allowed access. |
104 |
+## </summary> |
105 |
+## </param> |
106 |
+## <rolecap/> |
107 |
+# |
108 |
+interface(`tgtd_admin',` |
109 |
+ gen_require(` |
110 |
+ type tgtd_t, tgtd_initrc_exec_t, tgtd_var_lib_t; |
111 |
+ type tgtd_var_run_t, tgtd_tmp_t, tgtd_tmpfs_t; |
112 |
+ ') |
113 |
+ |
114 |
+ allow $1 tgtd_t:process { ptrace signal_perms }; |
115 |
+ ps_process_pattern($1, tgtd_t) |
116 |
+ |
117 |
+ init_labeled_script_domtrans($1, tgtd_initrc_exec_t) |
118 |
+ domain_system_change_exemption($1) |
119 |
+ role_transition $2 tgtd_initrc_exec_t system_r; |
120 |
+ allow $2 system_r; |
121 |
+ |
122 |
+ files_search_var_lib($1) |
123 |
+ admin_pattern($1, tgtd_var_lib_t) |
124 |
+ |
125 |
+ files_search_pids($1) |
126 |
+ admin_pattern($1, tgtd_var_run_t) |
127 |
+ |
128 |
+ files_search_tmp($1) |
129 |
+ admin_pattern($1, tgtd_tmp_t) |
130 |
+ |
131 |
+ files_search_tmpfs($1) |
132 |
+ admin_pattern($1, tgtd_tmpfs_t) |
133 |
+') |
134 |
|
135 |
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te |
136 |
index 80fe75c..dc22f11 100644 |
137 |
--- a/policy/modules/contrib/tgtd.te |
138 |
+++ b/policy/modules/contrib/tgtd.te |
139 |
@@ -1,8 +1,8 @@ |
140 |
-policy_module(tgtd, 1.2.0) |
141 |
+policy_module(tgtd, 1.2.2) |
142 |
|
143 |
######################################## |
144 |
# |
145 |
-# TGTD personal declarations. |
146 |
+# Declarations |
147 |
# |
148 |
|
149 |
type tgtd_t; |
150 |
@@ -21,23 +21,25 @@ files_tmpfs_file(tgtd_tmpfs_t) |
151 |
type tgtd_var_lib_t; |
152 |
files_type(tgtd_var_lib_t) |
153 |
|
154 |
+type tgtd_var_run_t; |
155 |
+files_pid_file(tgtd_var_run_t) |
156 |
+ |
157 |
######################################## |
158 |
# |
159 |
-# TGTD personal policy. |
160 |
+# Local policy |
161 |
# |
162 |
|
163 |
allow tgtd_t self:capability sys_resource; |
164 |
allow tgtd_t self:process { setrlimit signal }; |
165 |
allow tgtd_t self:fifo_file rw_fifo_file_perms; |
166 |
-allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read }; |
167 |
+allow tgtd_t self:netlink_route_socket r_netlink_socket_perms; |
168 |
allow tgtd_t self:shm create_shm_perms; |
169 |
allow tgtd_t self:sem create_sem_perms; |
170 |
allow tgtd_t self:tcp_socket create_stream_socket_perms; |
171 |
allow tgtd_t self:udp_socket create_socket_perms; |
172 |
-allow tgtd_t self:unix_dgram_socket create_socket_perms; |
173 |
|
174 |
manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t) |
175 |
-files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file }) |
176 |
+files_tmp_filetrans(tgtd_t, tgtd_tmp_t, sock_file) |
177 |
|
178 |
manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t) |
179 |
fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file) |
180 |
@@ -46,21 +48,36 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) |
181 |
manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) |
182 |
files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) |
183 |
|
184 |
+manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) |
185 |
+manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) |
186 |
+manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) |
187 |
+files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) |
188 |
+ |
189 |
+kernel_read_system_state(tgtd_t) |
190 |
kernel_read_fs_sysctls(tgtd_t) |
191 |
|
192 |
corenet_all_recvfrom_netlabel(tgtd_t) |
193 |
corenet_all_recvfrom_unlabeled(tgtd_t) |
194 |
corenet_tcp_sendrecv_generic_if(tgtd_t) |
195 |
corenet_tcp_sendrecv_generic_node(tgtd_t) |
196 |
-corenet_tcp_sendrecv_iscsi_port(tgtd_t) |
197 |
corenet_tcp_bind_generic_node(tgtd_t) |
198 |
-corenet_tcp_bind_iscsi_port(tgtd_t) |
199 |
+ |
200 |
corenet_sendrecv_iscsi_server_packets(tgtd_t) |
201 |
+corenet_tcp_bind_iscsi_port(tgtd_t) |
202 |
+corenet_tcp_sendrecv_iscsi_port(tgtd_t) |
203 |
+ |
204 |
+dev_read_sysfs(tgtd_t) |
205 |
|
206 |
files_read_etc_files(tgtd_t) |
207 |
|
208 |
+fs_read_anon_inodefs_files(tgtd_t) |
209 |
+ |
210 |
storage_manage_fixed_disk(tgtd_t) |
211 |
|
212 |
logging_send_syslog_msg(tgtd_t) |
213 |
|
214 |
miscfiles_read_localization(tgtd_t) |
215 |
+ |
216 |
+optional_policy(` |
217 |
+ iscsi_manage_semaphores(tgtd_t) |
218 |
+') |