* Fri Nov 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-305
- Make ganesha nfs server
This commit is contained in:
parent
723bc03d9a
commit
617ff7d328
Binary file not shown.
@ -3854,6 +3854,13 @@ index 759016583..1b9a61d18 100644
|
||||
+tunable_policy(`use_fusefs_home_dirs',`
|
||||
+ fs_mounton_fusefs(seunshare_domain)
|
||||
')
|
||||
diff --git a/policy/modules/contrib b/policy/modules/contrib
|
||||
index 298b88741..b35f071ea 160000
|
||||
--- a/policy/modules/contrib
|
||||
+++ b/policy/modules/contrib
|
||||
@@ -1 +1 @@
|
||||
-Subproject commit 298b887411b663a7da40a7a465915a7352bac80d
|
||||
+Subproject commit b35f071eace9e06117f78cdda3dd6692388dff6f
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index 33e0f8dad..6fd767031 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
|
@ -31970,294 +31970,6 @@ index e5b15fb7e..220622e84 100644
|
||||
allow games_t self:process execmem;
|
||||
')
|
||||
|
||||
diff --git a/ganesha.fc b/ganesha.fc
|
||||
new file mode 100644
|
||||
index 000000000..c723bfb97
|
||||
--- /dev/null
|
||||
+++ b/ganesha.fc
|
||||
@@ -0,0 +1,12 @@
|
||||
+/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:ganesha_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
|
||||
+
|
||||
+/var/log/ganesha.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
|
||||
+/var/log/ganesha-gfapi.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
|
||||
+
|
||||
+/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0)
|
||||
diff --git a/ganesha.if b/ganesha.if
|
||||
new file mode 100644
|
||||
index 000000000..d9ba5fa27
|
||||
--- /dev/null
|
||||
+++ b/ganesha.if
|
||||
@@ -0,0 +1,147 @@
|
||||
+
|
||||
+## <summary>policy for ganesha</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute ganesha_exec_t in the ganesha domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ganesha_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type ganesha_t, ganesha_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, ganesha_exec_t, ganesha_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Execute ganesha in the caller domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ganesha_exec',`
|
||||
+ gen_require(`
|
||||
+ type ganesha_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ can_exec($1, ganesha_exec_t)
|
||||
+')
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read ganesha PID files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ganesha_read_pid_files',`
|
||||
+ gen_require(`
|
||||
+ type ganesha_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute ganesha server in the ganesha domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ganesha_systemctl',`
|
||||
+ gen_require(`
|
||||
+ type ganesha_t;
|
||||
+ type ganesha_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ allow $1 ganesha_unit_file_t:file read_file_perms;
|
||||
+ allow $1 ganesha_unit_file_t:service manage_service_perms;
|
||||
+
|
||||
+ ps_process_pattern($1, ganesha_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send and receive messages from
|
||||
+## ganesha over dbus.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ganesha_dbus_chat',`
|
||||
+ gen_require(`
|
||||
+ type ganesha_t;
|
||||
+ class dbus send_msg;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 ganesha_t:dbus send_msg;
|
||||
+ allow ganesha_t $1:dbus send_msg;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## All of the rules required to administrate
|
||||
+## an ganesha environment
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## Role allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`ganesha_admin',`
|
||||
+ gen_require(`
|
||||
+ type ganesha_t;
|
||||
+ type ganesha_var_run_t;
|
||||
+ type ganesha_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 ganesha_t:process { signal_perms };
|
||||
+ ps_process_pattern($1, ganesha_t)
|
||||
+
|
||||
+ tunable_policy(`deny_ptrace',`',`
|
||||
+ allow $1 ganesha_t:process ptrace;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ admin_pattern($1, ganesha_var_run_t)
|
||||
+
|
||||
+ ganesha_systemctl($1)
|
||||
+ admin_pattern($1, ganesha_unit_file_t)
|
||||
+ allow $1 ganesha_unit_file_t:service all_service_perms;
|
||||
+ optional_policy(`
|
||||
+ systemd_passwd_agent_exec($1)
|
||||
+ systemd_read_fifo_file_passwd_run($1)
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/ganesha.te b/ganesha.te
|
||||
new file mode 100644
|
||||
index 000000000..f25a3f34d
|
||||
--- /dev/null
|
||||
+++ b/ganesha.te
|
||||
@@ -0,0 +1,111 @@
|
||||
+policy_module(ganesha, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow ganesha to read/write fuse files
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(ganesha_use_fusefs, false)
|
||||
+
|
||||
+type ganesha_t;
|
||||
+type ganesha_exec_t;
|
||||
+init_daemon_domain(ganesha_t, ganesha_exec_t)
|
||||
+
|
||||
+type ganesha_var_log_t;
|
||||
+logging_log_file(ganesha_var_log_t)
|
||||
+
|
||||
+type ganesha_var_run_t;
|
||||
+files_pid_file(ganesha_var_run_t)
|
||||
+
|
||||
+type ganesha_tmp_t;
|
||||
+files_tmp_file(ganesha_tmp_t)
|
||||
+
|
||||
+type ganesha_unit_file_t;
|
||||
+systemd_unit_file(ganesha_unit_file_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# ganesha local policy
|
||||
+#
|
||||
+dontaudit ganesha_t self:capability net_admin;
|
||||
+
|
||||
+allow ganesha_t self:capability { dac_read_search dac_override };
|
||||
+allow ganesha_t self:capability2 block_suspend;
|
||||
+allow ganesha_t self:process { setcap setrlimit };
|
||||
+allow ganesha_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow ganesha_t self:tcp_socket { accept listen };
|
||||
+
|
||||
+manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
|
||||
+manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
|
||||
+manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
|
||||
+files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file })
|
||||
+
|
||||
+manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
|
||||
+manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
|
||||
+logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
|
||||
+
|
||||
+manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
|
||||
+manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
|
||||
+files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir })
|
||||
+
|
||||
+kernel_read_system_state(ganesha_t)
|
||||
+kernel_search_network_sysctl(ganesha_t)
|
||||
+kernel_read_net_sysctls(ganesha_t)
|
||||
+
|
||||
+auth_use_nsswitch(ganesha_t)
|
||||
+
|
||||
+corenet_tcp_bind_nfs_port(ganesha_t)
|
||||
+corenet_tcp_connect_generic_port(ganesha_t)
|
||||
+corenet_tcp_connect_gluster_port(ganesha_t)
|
||||
+corenet_udp_bind_dey_keyneg_port(ganesha_t)
|
||||
+corenet_tcp_bind_dey_keyneg_port(ganesha_t)
|
||||
+corenet_udp_bind_nfs_port(ganesha_t)
|
||||
+corenet_udp_bind_all_rpc_ports(ganesha_t)
|
||||
+corenet_tcp_bind_all_rpc_ports(ganesha_t)
|
||||
+corenet_tcp_bind_mountd_port(ganesha_t)
|
||||
+corenet_udp_bind_mountd_port(ganesha_t)
|
||||
+corenet_tcp_connect_virt_migration_port(ganesha_t)
|
||||
+corenet_tcp_connect_all_rpc_ports(ganesha_t)
|
||||
+
|
||||
+dev_rw_infiniband_dev(ganesha_t)
|
||||
+dev_read_gpfs(ganesha_t)
|
||||
+dev_read_rand(ganesha_t)
|
||||
+
|
||||
+logging_send_syslog_msg(ganesha_t)
|
||||
+
|
||||
+sysnet_dns_name_resolve(ganesha_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(ganesha_t)
|
||||
+ dbus_connect_system_bus(ganesha_t)
|
||||
+ unconfined_dbus_chat(ganesha_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ glusterd_read_conf(ganesha_t)
|
||||
+ glusterd_read_lib_files(ganesha_t)
|
||||
+ glusterd_manage_pid(ganesha_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ kerberos_read_keytab(ganesha_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpc_manage_nfs_state_data_dir(ganesha_t)
|
||||
+ rpc_read_nfs_state_data(ganesha_t)
|
||||
+ rpcbind_stream_connect(ganesha_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`ganesha_use_fusefs',`
|
||||
+ fs_manage_fusefs_dirs(ganesha_t)
|
||||
+ fs_manage_fusefs_files(ganesha_t)
|
||||
+ fs_read_fusefs_symlinks(ganesha_t)
|
||||
+ fs_getattr_fusefs(ganesha_t)
|
||||
+')
|
||||
diff --git a/gatekeeper.te b/gatekeeper.te
|
||||
index 28203689c..88c98f481 100644
|
||||
--- a/gatekeeper.te
|
||||
@ -33565,10 +33277,10 @@ index 5cd09096a..bd3c3d21b 100644
|
||||
+corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
|
||||
diff --git a/glusterd.fc b/glusterd.fc
|
||||
new file mode 100644
|
||||
index 000000000..9806f50ae
|
||||
index 000000000..e42e81f5f
|
||||
--- /dev/null
|
||||
+++ b/glusterd.fc
|
||||
@@ -0,0 +1,25 @@
|
||||
@@ -0,0 +1,30 @@
|
||||
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
|
||||
+
|
||||
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
|
||||
@ -33594,12 +33306,17 @@ index 000000000..9806f50ae
|
||||
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
|
||||
+/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
|
||||
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
|
||||
+
|
||||
+/var/log/ganesha(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
|
||||
+/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
|
||||
+/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
|
||||
+
|
||||
diff --git a/glusterd.if b/glusterd.if
|
||||
new file mode 100644
|
||||
index 000000000..450146018
|
||||
index 000000000..291191f17
|
||||
--- /dev/null
|
||||
+++ b/glusterd.if
|
||||
@@ -0,0 +1,302 @@
|
||||
@@ -0,0 +1,301 @@
|
||||
+
|
||||
+## <summary>policy for glusterd</summary>
|
||||
+
|
||||
@ -33901,13 +33618,12 @@ index 000000000..450146018
|
||||
+ admin_pattern($1, glusterd_conf_t)
|
||||
+
|
||||
+')
|
||||
+
|
||||
diff --git a/glusterd.te b/glusterd.te
|
||||
new file mode 100644
|
||||
index 000000000..7eeb7b0c0
|
||||
index 000000000..ffa5ab9b3
|
||||
--- /dev/null
|
||||
+++ b/glusterd.te
|
||||
@@ -0,0 +1,331 @@
|
||||
@@ -0,0 +1,328 @@
|
||||
+policy_module(glusterd, 1.1.3)
|
||||
+
|
||||
+## <desc>
|
||||
@ -33974,6 +33690,8 @@ index 000000000..7eeb7b0c0
|
||||
+type glusterd_brick_t;
|
||||
+files_type(glusterd_brick_t)
|
||||
+
|
||||
+typealias glusterd_log_t alias ganesha_var_log_t;
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Local policy
|
||||
@ -34177,11 +33895,6 @@ index 000000000..7eeb7b0c0
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ganesha_systemctl(glusterd_t)
|
||||
+ ganesha_dbus_chat(glusterd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ hostname_exec(glusterd_t)
|
||||
+')
|
||||
+
|
||||
@ -34221,8 +33934,8 @@ index 000000000..7eeb7b0c0
|
||||
+optional_policy(`
|
||||
+ rpc_systemctl_nfsd(glusterd_t)
|
||||
+ rpc_systemctl_rpcd(glusterd_t)
|
||||
+
|
||||
+ rpc_domtrans_nfsd(glusterd_t)
|
||||
+ rpc_dbus_chat_nfsd(glusterd_t)
|
||||
+ rpc_domtrans_rpcd(glusterd_t)
|
||||
+ rpc_manage_nfs_state_data(glusterd_t)
|
||||
+ rpc_manage_nfs_state_data_dir(glusterd_t)
|
||||
@ -90565,7 +90278,7 @@ index c8bdea28d..96da15f8a 100644
|
||||
+ logging_log_named_filetrans($1, var_log_t, dir, "bundles")
|
||||
')
|
||||
diff --git a/rhcs.te b/rhcs.te
|
||||
index 6cf79c449..5c0bfd05d 100644
|
||||
index 6cf79c449..63c113978 100644
|
||||
--- a/rhcs.te
|
||||
+++ b/rhcs.te
|
||||
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
|
||||
@ -90804,7 +90517,7 @@ index 6cf79c449..5c0bfd05d 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ganesha_dbus_chat(cluster_t)
|
||||
+ rpc_dbus_chat_nfsd(cluster_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -93361,11 +93074,18 @@ index ccb5991ed..fa10c5a2d 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/rpc.fc b/rpc.fc
|
||||
index a6fb30cb3..97ef313df 100644
|
||||
index a6fb30cb3..e11f3a0f3 100644
|
||||
--- a/rpc.fc
|
||||
+++ b/rpc.fc
|
||||
@@ -1,12 +1,25 @@
|
||||
@@ -1,12 +1,31 @@
|
||||
-/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
|
||||
|
||||
-/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
|
||||
-/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
-/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
|
||||
-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
+#
|
||||
+# /etc
|
||||
+#
|
||||
@ -93374,16 +93094,15 @@ index a6fb30cb3..97ef313df 100644
|
||||
+/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
|
||||
-/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
|
||||
-/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
-/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
+/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
|
||||
|
||||
-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system-generators/nfs.* -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
||||
|
||||
+
|
||||
+#
|
||||
+# /sbin
|
||||
+#
|
||||
@ -93396,24 +93115,27 @@ index a6fb30cb3..97ef313df 100644
|
||||
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
||||
@@ -16,7 +29,13 @@
|
||||
@@ -16,7 +35,16 @@
|
||||
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
||||
/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
|
||||
-/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
|
||||
+/usr/bin/ganesha\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
||||
+
|
||||
+#
|
||||
+# /var
|
||||
+#
|
||||
+/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
|
||||
|
||||
+/var/run/sm-notify.* gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
||||
+/var/run/ganesha.* gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
||||
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
||||
-/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
||||
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
||||
+/var/run/rpc\.statd\.lock -- gen_context(system_u:object_r:rpcd_lock_t,s0)
|
||||
+
|
||||
diff --git a/rpc.if b/rpc.if
|
||||
index 0bf13c220..79a2a9c48 100644
|
||||
index 0bf13c220..2ee527f2a 100644
|
||||
--- a/rpc.if
|
||||
+++ b/rpc.if
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -93750,11 +93472,10 @@ index 0bf13c220..79a2a9c48 100644
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ allow $1 var_lib_nfs_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read nfs lib files.
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage NFS state data in /var/lib/nfs.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -93770,10 +93491,11 @@ index 0bf13c220..79a2a9c48 100644
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ allow $1 var_lib_nfs_t:dir manage_dir_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read nfs lib files.
|
||||
+## Read NFS state data in /var/lib/nfs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@ -93868,7 +93590,7 @@ index 0bf13c220..79a2a9c48 100644
|
||||
')
|
||||
|
||||
allow $1 rpc_domain:process { ptrace signal_perms };
|
||||
@@ -411,10 +505,28 @@ interface(`rpc_admin',`
|
||||
@@ -411,10 +505,49 @@ interface(`rpc_admin',`
|
||||
admin_pattern($1, rpcd_var_run_t)
|
||||
|
||||
files_list_all($1)
|
||||
@ -93898,8 +93620,29 @@ index 0bf13c220..79a2a9c48 100644
|
||||
+
|
||||
+ allow $1 gssd_t:process { noatsecure rlimitinh };
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send and receive messages from
|
||||
+## ganesha over dbus.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`rpc_dbus_chat_nfsd',`
|
||||
+ gen_require(`
|
||||
+ type nfsd_t;
|
||||
+ class dbus send_msg;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 nfsd_t:dbus send_msg;
|
||||
+ allow nfsd_t $1:dbus send_msg;
|
||||
+')
|
||||
diff --git a/rpc.te b/rpc.te
|
||||
index 2da9fca2f..c8afd1e50 100644
|
||||
index 2da9fca2f..f06eb2732 100644
|
||||
--- a/rpc.te
|
||||
+++ b/rpc.te
|
||||
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
|
||||
@ -93942,7 +93685,7 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
|
||||
attribute rpc_domain;
|
||||
|
||||
@@ -39,21 +44,26 @@ files_tmp_file(gssd_tmp_t)
|
||||
@@ -39,25 +44,36 @@ files_tmp_file(gssd_tmp_t)
|
||||
type rpcd_var_run_t;
|
||||
files_pid_file(rpcd_var_run_t)
|
||||
|
||||
@ -93974,7 +93717,17 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
|
||||
type var_lib_nfs_t;
|
||||
files_mountpoint(var_lib_nfs_t)
|
||||
@@ -71,7 +81,6 @@ allow rpc_domain self:tcp_socket { accept listen };
|
||||
|
||||
+type nfsd_tmp_t;
|
||||
+files_tmp_file(nfsd_tmp_t)
|
||||
+
|
||||
+typealias nfsd_exec_t alias ganesha_exec_t;
|
||||
+typealias nfsd_unit_file_t alias ganesha_unit_file_t;
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Common rpc domain local policy
|
||||
@@ -71,7 +87,6 @@ allow rpc_domain self:tcp_socket { accept listen };
|
||||
manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
|
||||
manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
|
||||
|
||||
@ -93982,7 +93735,7 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
kernel_read_kernel_sysctls(rpc_domain)
|
||||
kernel_rw_rpc_sysctls(rpc_domain)
|
||||
|
||||
@@ -79,8 +88,6 @@ dev_read_sysfs(rpc_domain)
|
||||
@@ -79,8 +94,6 @@ dev_read_sysfs(rpc_domain)
|
||||
dev_read_urand(rpc_domain)
|
||||
dev_read_rand(rpc_domain)
|
||||
|
||||
@ -93991,7 +93744,7 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
corenet_tcp_sendrecv_generic_if(rpc_domain)
|
||||
corenet_udp_sendrecv_generic_if(rpc_domain)
|
||||
corenet_tcp_sendrecv_generic_node(rpc_domain)
|
||||
@@ -108,41 +115,48 @@ files_read_etc_runtime_files(rpc_domain)
|
||||
@@ -108,41 +121,48 @@ files_read_etc_runtime_files(rpc_domain)
|
||||
files_read_usr_files(rpc_domain)
|
||||
files_list_home(rpc_domain)
|
||||
|
||||
@ -94049,7 +93802,7 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
kernel_read_sysctl(rpcd_t)
|
||||
kernel_rw_fs_sysctls(rpcd_t)
|
||||
kernel_dontaudit_getattr_core_if(rpcd_t)
|
||||
@@ -163,13 +177,21 @@ fs_getattr_all_fs(rpcd_t)
|
||||
@@ -163,13 +183,21 @@ fs_getattr_all_fs(rpcd_t)
|
||||
|
||||
storage_getattr_fixed_disk_dev(rpcd_t)
|
||||
|
||||
@ -94073,7 +93826,7 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
term_dontaudit_use_unallocated_ttys(rpcd_t)
|
||||
@@ -181,19 +203,27 @@ optional_policy(`
|
||||
@@ -181,19 +209,27 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -94104,17 +93857,26 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -201,42 +231,66 @@ optional_policy(`
|
||||
@@ -201,42 +237,75 @@ optional_policy(`
|
||||
# NFSD local policy
|
||||
#
|
||||
|
||||
-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
|
||||
+allow nfsd_t self:capability { dac_read_search sys_admin sys_resource };
|
||||
+allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_resource };
|
||||
+dontaudit nfsd_t self:capability sys_rawio;
|
||||
+
|
||||
+allow nfsd_t self:process { setcap };
|
||||
|
||||
allow nfsd_t exports_t:file read_file_perms;
|
||||
-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
|
||||
|
||||
+manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
|
||||
+manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
|
||||
+files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir })
|
||||
+
|
||||
+manage_files_pattern(nfsd_t, rpcd_var_run_t, rpcd_var_run_t)
|
||||
+files_pid_filetrans(nfsd_t, rpcd_var_run_t, { file })
|
||||
+
|
||||
+# for /proc/fs/nfs/exports - should we have a new type?
|
||||
+kernel_read_system_state(nfsd_t)
|
||||
kernel_read_network_state(nfsd_t)
|
||||
@ -94126,10 +93888,10 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
+kernel_mounton_proc(nfsd_t)
|
||||
+kernel_rw_rpc_sysctls_dirs(nfsd_t)
|
||||
+kernel_create_rpc_sysctls(nfsd_t)
|
||||
+
|
||||
+corecmd_exec_shell(nfsd_t)
|
||||
|
||||
-corenet_sendrecv_nfs_server_packets(nfsd_t)
|
||||
+corecmd_exec_shell(nfsd_t)
|
||||
+
|
||||
+corenet_tcp_bind_all_rpc_ports(nfsd_t)
|
||||
+corenet_udp_bind_all_rpc_ports(nfsd_t)
|
||||
corenet_tcp_bind_nfs_port(nfsd_t)
|
||||
@ -94182,7 +93944,7 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
miscfiles_manage_public_files(nfsd_t)
|
||||
')
|
||||
|
||||
@@ -245,7 +299,6 @@ tunable_policy(`nfs_export_all_rw',`
|
||||
@@ -245,7 +314,6 @@ tunable_policy(`nfs_export_all_rw',`
|
||||
dev_getattr_all_chr_files(nfsd_t)
|
||||
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
@ -94190,13 +93952,22 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -257,12 +310,12 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -257,12 +325,21 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
|
||||
- files_list_non_auth_dirs(nfsd_t)
|
||||
- files_read_non_auth_files(nfsd_t)
|
||||
+ files_read_non_security_files(nfsd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ glusterd_manage_log(nfsd_t)
|
||||
+ glusterd_manage_pid(nfsd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(nfsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -94205,7 +93976,7 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -270,7 +323,7 @@ optional_policy(`
|
||||
@@ -270,7 +347,7 @@ optional_policy(`
|
||||
# GSSD local policy
|
||||
#
|
||||
|
||||
@ -94214,7 +93985,7 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
allow gssd_t self:process { getsched setsched };
|
||||
allow gssd_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
@@ -280,6 +333,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
@@ -280,6 +357,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
|
||||
|
||||
@ -94222,7 +93993,7 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
kernel_read_network_state(gssd_t)
|
||||
kernel_read_network_state_symlinks(gssd_t)
|
||||
kernel_request_load_module(gssd_t)
|
||||
@@ -288,25 +342,31 @@ kernel_signal(gssd_t)
|
||||
@@ -288,25 +366,31 @@ kernel_signal(gssd_t)
|
||||
|
||||
corecmd_exec_bin(gssd_t)
|
||||
|
||||
@ -94257,7 +94028,7 @@ index 2da9fca2f..c8afd1e50 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -314,9 +374,12 @@ optional_policy(`
|
||||
@@ -314,9 +398,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 304%{?dist}
|
||||
Release: 305%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -717,6 +717,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Nov 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-305
|
||||
- Make ganesha nfs server
|
||||
|
||||
* Tue Nov 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-304
|
||||
- Add interface raid_relabel_mdadm_var_run_content()
|
||||
- Fix iscsi SELinux module
|
||||
|
Loading…
Reference in New Issue
Block a user