Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
Date: Thu, 17 Dec 2015 18:50:00
Message-Id: 1450377979.41757a4654c651d5c9533d165d58a3487c75b4c7.perfinion@gentoo
1 commit: 41757a4654c651d5c9533d165d58a3487c75b4c7
2 Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3 AuthorDate: Thu Dec 17 18:38:24 2015 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Thu Dec 17 18:46:19 2015 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=41757a46
7
8 Add permissions for ZFS
9
10 zfs list uses a pipe to get info from the kernel
11
12 avc: granted { write } for pid=31602 comm="dump_list_strat" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=system_u:system_r:kernel_t:s0 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
13 avc: granted { read } for pid=31601 comm="zfs" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
14
15 zfs send / recv is usually piped somewhere by sysadm
16 zfs send tank@snap | ssh foo tank@snap
17
18 policy/modules/kernel/kernel.te | 5 +++++
19 policy/modules/system/mount.te | 3 +++
20 2 files changed, 8 insertions(+)
21
22 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
23 index 4ac22e0..f964a7b 100644
24 --- a/policy/modules/kernel/kernel.te
25 +++ b/policy/modules/kernel/kernel.te
26 @@ -461,4 +461,9 @@ ifdef(`distro_gentoo',`
27 # See also bug 535992
28 #dev_manage_all_dev_nodes(kernel_t)
29 dev_setattr_generic_chr_files(kernel_t)
30 +
31 + # ZFS send/recv writes to an fd
32 + sysadm_use_fds(kernel_t)
33 + # zfs list writes to a pipe
34 + mount_rw_pipes(kernel_t)
35 ')
36
37 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
38 index 497fa59..920abc7 100644
39 --- a/policy/modules/system/mount.te
40 +++ b/policy/modules/system/mount.te
41 @@ -42,6 +42,9 @@ application_domain(unconfined_mount_t, mount_exec_t)
42
43 # setuid/setgid needed to mount cifs
44 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
45 +allow mount_t self:process signal;
46 +# zfs list uses pipes
47 +allow mount_t self:fifo_file rw_fifo_file_perms;
48
49 mount_read_loopback_files(mount_t)
Report Message
Find on MARC Find on Google Groups