diff options
author | Kenton Groombridge <concord@gentoo.org> | 2024-01-12 17:06:33 -0500 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:04:43 -0500 |
commit | 01f3a800454ee47de776b8fca7daaa0abebaa37e (patch) | |
tree | ebe5e4f983362b9db6f5c7eb4d3ee6349681542c | |
parent | systemd: label systemd-pcrlock as systemd-pcrphase (diff) | |
download | hardened-refpolicy-01f3a800454ee47de776b8fca7daaa0abebaa37e.tar.gz hardened-refpolicy-01f3a800454ee47de776b8fca7daaa0abebaa37e.tar.bz2 hardened-refpolicy-01f3a800454ee47de776b8fca7daaa0abebaa37e.zip |
zfs: allow zfs to write to exports
Needed by zfs-mount.service.
type=PROCTITLE msg=audit(1705092131.987:49): proctitle=2F7362696E2F7A6673007368617265002D61
type=SYSCALL msg=audit(1705092131.987:49): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=665f44189eba a2=80042 a3=180 items=0 ppid=1 pid=3082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="zfs" exe="/usr/bin/zfs" subj=system_u:system_r:zfs_t:s0 key=(null)
type=AVC msg=audit(1705092131.987:49): avc: denied { write } for pid=3082 comm="zfs" name="zfs.exports.lock" dev="dm-0" ino=1296 scontext=system_u:system_r:zfs_t:s0 tcontext=system_u:object_r:exports_t:s0 tclass=file permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/services/rpc.if | 18 | ||||
-rw-r--r-- | policy/modules/services/zfs.te | 3 |
2 files changed, 21 insertions, 0 deletions
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index 6a1e15b4..dfc67a01 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -52,6 +52,24 @@ template(`rpc_domain_template',` ######################################## ## <summary> +## List export files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_list_exports',` + gen_require(` + type exports_t; + ') + + allow $1 exports_t:dir list_dir_perms; +') + +######################################## +## <summary> ## Do not audit attempts to get ## attributes of export files. ## </summary> diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te index 8db6dfcc..57dbe058 100644 --- a/policy/modules/services/zfs.te +++ b/policy/modules/services/zfs.te @@ -144,7 +144,10 @@ optional_policy(` kernel_rw_rpc_sysctls(zfs_t) rpc_manage_nfs_state_data(zfs_t) + rpc_list_exports(zfs_t) + rpc_create_exports(zfs_t) rpc_read_exports(zfs_t) + rpc_write_exports(zfs_t) ') ####################################### |