]>
Commit | Line | Data |
---|---|---|
29af4c13 | 1 | policy_module(iscsi, 1.7.0) |
d9845ae9 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | type iscsid_t; | |
9 | type iscsid_exec_t; | |
10 | domain_type(iscsid_t) | |
11 | init_daemon_domain(iscsid_t, iscsid_exec_t) | |
12 | ||
13 | type iscsi_lock_t; | |
14 | files_lock_file(iscsi_lock_t) | |
15 | ||
30496b15 CP |
16 | type iscsi_log_t; |
17 | logging_log_file(iscsi_log_t) | |
18 | ||
d9845ae9 CP |
19 | type iscsi_tmp_t; |
20 | files_tmp_file(iscsi_tmp_t) | |
21 | ||
22 | type iscsi_var_lib_t; | |
23 | files_type(iscsi_var_lib_t) | |
24 | ||
25 | type iscsi_var_run_t; | |
26 | files_pid_file(iscsi_var_run_t) | |
27 | ||
28 | ######################################## | |
29 | # | |
30 | # iscsid local policy | |
31 | # | |
32 | ||
244b45d2 | 33 | allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; |
e0ed765c | 34 | allow iscsid_t self:process { setrlimit setsched signal }; |
0b36a214 | 35 | allow iscsid_t self:fifo_file rw_fifo_file_perms; |
d9845ae9 CP |
36 | allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
37 | allow iscsid_t self:unix_dgram_socket create_socket_perms; | |
38 | allow iscsid_t self:sem create_sem_perms; | |
39 | allow iscsid_t self:shm create_shm_perms; | |
40 | allow iscsid_t self:netlink_socket create_socket_perms; | |
30496b15 | 41 | allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; |
d9845ae9 CP |
42 | allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms; |
43 | allow iscsid_t self:tcp_socket create_stream_socket_perms; | |
44 | ||
30496b15 CP |
45 | can_exec(iscsid_t, iscsid_exec_t) |
46 | ||
244b45d2 CP |
47 | manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) |
48 | files_lock_filetrans(iscsid_t, iscsi_lock_t, file) | |
d9845ae9 | 49 | |
30496b15 CP |
50 | manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t) |
51 | logging_log_filetrans(iscsid_t, iscsi_log_t, file) | |
52 | ||
53 | manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) | |
54 | manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) | |
55 | fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } ) | |
d9845ae9 CP |
56 | |
57 | allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; | |
3f67f722 CP |
58 | read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) |
59 | read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) | |
d9845ae9 CP |
60 | files_search_var_lib(iscsid_t) |
61 | ||
3f67f722 CP |
62 | manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) |
63 | files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) | |
d9845ae9 | 64 | |
30496b15 | 65 | kernel_read_network_state(iscsid_t) |
eaed904c CP |
66 | kernel_read_system_state(iscsid_t) |
67 | ||
19006686 CP |
68 | corenet_all_recvfrom_unlabeled(iscsid_t) |
69 | corenet_all_recvfrom_netlabel(iscsid_t) | |
668b3093 | 70 | corenet_tcp_sendrecv_generic_if(iscsid_t) |
c1262146 | 71 | corenet_tcp_sendrecv_generic_node(iscsid_t) |
d9845ae9 CP |
72 | corenet_tcp_sendrecv_all_ports(iscsid_t) |
73 | corenet_tcp_connect_http_port(iscsid_t) | |
74 | corenet_tcp_connect_iscsi_port(iscsid_t) | |
e0ed765c | 75 | corenet_tcp_connect_isns_port(iscsid_t) |
d9845ae9 CP |
76 | |
77 | dev_rw_sysfs(iscsid_t) | |
30496b15 | 78 | dev_rw_userio_dev(iscsid_t) |
3eaa9939 DW |
79 | dev_read_raw_memory(iscsid_t) |
80 | dev_write_raw_memory(iscsid_t) | |
d9845ae9 CP |
81 | |
82 | domain_use_interactive_fds(iscsid_t) | |
30496b15 | 83 | domain_dontaudit_read_all_domains_state(iscsid_t) |
d9845ae9 CP |
84 | |
85 | files_read_etc_files(iscsid_t) | |
86 | ||
0f982dad | 87 | auth_use_nsswitch(iscsid_t) |
d9845ae9 | 88 | |
30496b15 CP |
89 | init_stream_connect_script(iscsid_t) |
90 | ||
91 | logging_send_syslog_msg(iscsid_t) | |
92 | ||
0f982dad | 93 | miscfiles_read_localization(iscsid_t) |
30496b15 CP |
94 | |
95 | optional_policy(` | |
3b0a9c74 | 96 | tgtd_manage_semaphores(iscsid_t) |
30496b15 | 97 | ') |