1 |
commit: 05e541d9d101d8d8f38b94bfd6f80e62da38cb92 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Thu Dec 17 18:38:24 2015 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Dec 17 18:51:56 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05e541d9 |
7 |
|
8 |
Add permissions for ZFS |
9 |
|
10 |
zfs list uses a pipe to get info from the kernel |
11 |
|
12 |
avc: granted { write } for pid=31602 comm="dump_list_strat" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=system_u:system_r:kernel_t:s0 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file |
13 |
avc: granted { read } for pid=31601 comm="zfs" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file |
14 |
|
15 |
zfs send / recv is usually piped somewhere by sysadm |
16 |
zfs send tank@snap | ssh foo tank@snap |
17 |
|
18 |
policy/modules/kernel/kernel.te | 5 +++++ |
19 |
policy/modules/system/mount.te | 3 +++ |
20 |
2 files changed, 8 insertions(+) |
21 |
|
22 |
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
23 |
index 4ac22e0..f964a7b 100644 |
24 |
--- a/policy/modules/kernel/kernel.te |
25 |
+++ b/policy/modules/kernel/kernel.te |
26 |
@@ -461,4 +461,9 @@ ifdef(`distro_gentoo',` |
27 |
# See also bug 535992 |
28 |
#dev_manage_all_dev_nodes(kernel_t) |
29 |
dev_setattr_generic_chr_files(kernel_t) |
30 |
+ |
31 |
+ # ZFS send/recv writes to an fd |
32 |
+ sysadm_use_fds(kernel_t) |
33 |
+ # zfs list writes to a pipe |
34 |
+ mount_rw_pipes(kernel_t) |
35 |
') |
36 |
|
37 |
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te |
38 |
index 497fa59..920abc7 100644 |
39 |
--- a/policy/modules/system/mount.te |
40 |
+++ b/policy/modules/system/mount.te |
41 |
@@ -42,6 +42,9 @@ application_domain(unconfined_mount_t, mount_exec_t) |
42 |
|
43 |
# setuid/setgid needed to mount cifs |
44 |
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; |
45 |
+allow mount_t self:process signal; |
46 |
+# zfs list uses pipes |
47 |
+allow mount_t self:fifo_file rw_fifo_file_perms; |
48 |
|
49 |
mount_read_loopback_files(mount_t) |