Iscsi and tgtd patches from Dan Walsh.

policy/modules/services/tgtd.if

@@ -9,3 +9,20 @@
 ##	</p>
 ## </desc>
 
+#####################################
+## <summary>
+##      Allow read and write access to tgtd semaphores.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`tgtd_rw_semaphores',`
+        gen_require(`
+                type tgtd_t;
+        ')
+
+        allow $1 tgtd_t:sem rw_sem_perms;
+')

policy/modules/services/tgtd.te

@@ -1,5 +1,5 @@
 
-policy_module(tgtd, 1.0.0)
+policy_module(tgtd, 1.0.1)
 
 ########################################
 #
@@ -60,7 +60,7 @@ corenet_sendrecv_iscsi_server_packets(tgtd_t)
 
 files_read_etc_files(tgtd_t)
 
-storage_getattr_fixed_disk_dev(tgtd_t)
+storage_manage_fixed_disk(tgtd_t)
 
 logging_send_syslog_msg(tgtd_t)
 

policy/modules/system/iscsi.fc

@@ -1,5 +1,7 @@
 /sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
+/sbin/brcm_iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 
 /var/lib/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_var_lib_t,s0)
 /var/lock/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_lock_t,s0)
+/var/log/brcm-iscsi\.log --	gen_context(system_u:object_r:iscsi_log_t,s0)
 /var/run/iscsid\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)

policy/modules/system/iscsi.te

@@ -1,5 +1,5 @@
 
-policy_module(iscsi, 1.6.1)
+policy_module(iscsi, 1.6.2)
 
 ########################################
 #
@@ -14,6 +14,9 @@ init_daemon_domain(iscsid_t, iscsid_exec_t)
 type iscsi_lock_t;
 files_lock_file(iscsi_lock_t)
 
+type iscsi_log_t;
+logging_log_file(iscsi_log_t)
+
 type iscsi_tmp_t;
 files_tmp_file(iscsi_tmp_t)
 
@@ -36,15 +39,21 @@ allow iscsid_t self:unix_dgram_socket create_socket_perms;
 allow iscsid_t self:sem create_sem_perms;
 allow iscsid_t self:shm create_shm_perms;
 allow iscsid_t self:netlink_socket create_socket_perms;
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; 
 allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
 allow iscsid_t self:tcp_socket create_stream_socket_perms;
 
+can_exec(iscsid_t, iscsid_exec_t)
+
 manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
 files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
 
-allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
-allow iscsid_t iscsi_tmp_t:file manage_file_perms;
-fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file )
+manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
+logging_log_filetrans(iscsid_t, iscsi_log_t, file)
+
+manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } )
 
 allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
 read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
@@ -54,8 +63,8 @@ files_search_var_lib(iscsid_t)
 manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
 files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
 
+kernel_read_network_state(iscsid_t)
 kernel_read_system_state(iscsid_t)
-kernel_search_debugfs(iscsid_t)
 
 corenet_all_recvfrom_unlabeled(iscsid_t)
 corenet_all_recvfrom_netlabel(iscsid_t)
@@ -67,13 +76,21 @@ corenet_tcp_connect_iscsi_port(iscsid_t)
 corenet_tcp_connect_isns_port(iscsid_t)
 
 dev_rw_sysfs(iscsid_t)
+dev_rw_userio_dev(iscsid_t)
 
 domain_use_interactive_fds(iscsid_t)
+domain_dontaudit_read_all_domains_state(iscsid_t)
 
 files_read_etc_files(iscsid_t)
 
-logging_send_syslog_msg(iscsid_t)
-
 auth_use_nsswitch(iscsid_t)
 
+init_stream_connect_script(iscsid_t)
+
+logging_send_syslog_msg(iscsid_t)
+
 miscfiles_read_localization(iscsid_t)
+
+optional_policy(`
+	tgtd_rw_semaphores(iscsid_t)
+')