1 |
commit: 32b74e9b8029ee9d345c560dd7e59964fd829f62 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Thu Dec 17 18:38:24 2015 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Dec 18 03:32:59 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=32b74e9b |
7 |
|
8 |
Add permissions for ZFS |
9 |
|
10 |
zfs list uses a pipe to get info from the kernel |
11 |
|
12 |
avc: granted { write } for pid=31602 comm="dump_list_strat" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=system_u:system_r:kernel_t:s0 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file |
13 |
avc: granted { read } for pid=31601 comm="zfs" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file |
14 |
|
15 |
zfs send / recv is usually piped somewhere by sysadm |
16 |
zfs send tank@snap | ssh foo tank@snap |
17 |
|
18 |
policy/modules/kernel/kernel.te | 9 +++++++++ |
19 |
policy/modules/system/mount.te | 3 +++ |
20 |
2 files changed, 12 insertions(+) |
21 |
|
22 |
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
23 |
index 4ac22e0..f1016a3 100644 |
24 |
--- a/policy/modules/kernel/kernel.te |
25 |
+++ b/policy/modules/kernel/kernel.te |
26 |
@@ -461,4 +461,13 @@ ifdef(`distro_gentoo',` |
27 |
# See also bug 535992 |
28 |
#dev_manage_all_dev_nodes(kernel_t) |
29 |
dev_setattr_generic_chr_files(kernel_t) |
30 |
+ |
31 |
+ # ZFS send/recv writes to an fd |
32 |
+ optional_policy(` |
33 |
+ sysadm_use_fds(kernel_t) |
34 |
+ ') |
35 |
+ # zfs list writes to a pipe |
36 |
+ optional_policy(` |
37 |
+ mount_rw_pipes(kernel_t) |
38 |
+ ') |
39 |
') |
40 |
|
41 |
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te |
42 |
index 497fa59..920abc7 100644 |
43 |
--- a/policy/modules/system/mount.te |
44 |
+++ b/policy/modules/system/mount.te |
45 |
@@ -42,6 +42,9 @@ application_domain(unconfined_mount_t, mount_exec_t) |
46 |
|
47 |
# setuid/setgid needed to mount cifs |
48 |
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; |
49 |
+allow mount_t self:process signal; |
50 |
+# zfs list uses pipes |
51 |
+allow mount_t self:fifo_file rw_fifo_file_perms; |
52 |
|
53 |
mount_read_loopback_files(mount_t) |