* Fri Nov 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-305

- Make ganesha nfs server
2017-11-24 18:20:55 +01:00 · 2017-11-24 18:20:55 +01:00 · 617ff7d328
parent 723bc03d9a
commit 617ff7d328
4 changed files with 123 additions and 342 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -3854,6 +3854,13 @@ index 759016583..1b9a61d18 100644
 +tunable_policy(`use_fusefs_home_dirs',`
 +	fs_mounton_fusefs(seunshare_domain)
 ')
+diff --git a/policy/modules/contrib b/policy/modules/contrib
+index 298b88741..b35f071ea 160000
+--- a/policy/modules/contrib
+++ b/policy/modules/contrib
+@@ -1 +1 @@
+-Subproject commit 298b887411b663a7da40a7a465915a7352bac80d
+Subproject commit b35f071eace9e06117f78cdda3dd6692388dff6f
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
 index 33e0f8dad..6fd767031 100644
 --- a/policy/modules/kernel/corecommands.fc
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -31970,294 +31970,6 @@ index e5b15fb7e..220622e84 100644
 	allow games_t self:process execmem;
 ')
 
-diff --git a/ganesha.fc b/ganesha.fc
-new file mode 100644
-index 000000000..c723bfb97
--- /dev/null
-+++ b/ganesha.fc
-@@ -0,0 +1,12 @@
-+/usr/bin/ganesha.nfsd		--	gen_context(system_u:object_r:ganesha_exec_t,s0)
-+
-+/usr/lib/systemd/system/nfs-ganesha-config.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/nfs-ganesha-lock.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/nfs-ganesha.*e		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
-+
-+/var/log/ganesha.log.*	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
-+/var/log/ganesha-gfapi.log.*	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
-+
-+/var/run/ganesha(/.*)?		gen_context(system_u:object_r:ganesha_var_run_t,s0)
-diff --git a/ganesha.if b/ganesha.if
-new file mode 100644
-index 000000000..d9ba5fa27
--- /dev/null
-+++ b/ganesha.if
-@@ -0,0 +1,147 @@
-+
-+## <summary>policy for ganesha</summary>
-+
-+########################################
-+## <summary>
-+##	Execute ganesha_exec_t in the ganesha domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`ganesha_domtrans',`
-+	gen_require(`
-+		type ganesha_t, ganesha_exec_t;
-+	')
-+
-+	corecmd_search_bin($1)
-+	domtrans_pattern($1, ganesha_exec_t, ganesha_t)
-+')
-+
-+######################################
-+## <summary>
-+##	Execute ganesha in the caller domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`ganesha_exec',`
-+	gen_require(`
-+		type ganesha_exec_t;
-+	')
-+
-+	corecmd_search_bin($1)
-+	can_exec($1, ganesha_exec_t)
-+')
-+########################################
-+## <summary>
-+##	Read ganesha PID files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`ganesha_read_pid_files',`
-+	gen_require(`
-+		type ganesha_var_run_t;
-+	')
-+
-+	files_search_pids($1)
-+	read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Execute ganesha server in the ganesha domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed to transition.
-+##	</summary>
-+## </param>
-+#
-+interface(`ganesha_systemctl',`
-+	gen_require(`
-+		type ganesha_t;
-+		type ganesha_unit_file_t;
-+	')
-+
-+	systemd_exec_systemctl($1)
-+        systemd_read_fifo_file_passwd_run($1)
-+	allow $1 ganesha_unit_file_t:file read_file_perms;
-+	allow $1 ganesha_unit_file_t:service manage_service_perms;
-+
-+	ps_process_pattern($1, ganesha_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+##	Send and receive messages from
-+##	ganesha over dbus.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`ganesha_dbus_chat',`
-+	gen_require(`
-+		type ganesha_t;
-+		class dbus send_msg;
-+	')
-+
-+	allow $1 ganesha_t:dbus send_msg;
-+	allow ganesha_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
-+##	All of the rules required to administrate
-+##	an ganesha environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`ganesha_admin',`
-+	gen_require(`
-+		type ganesha_t;
-+		type ganesha_var_run_t;
-+	type ganesha_unit_file_t;
-+	')
-+
-+	allow $1 ganesha_t:process { signal_perms };
-+	ps_process_pattern($1, ganesha_t)
-+
-+    tunable_policy(`deny_ptrace',`',`
-+        allow $1 ganesha_t:process ptrace;
-+    ')
-+
-+	files_search_pids($1)
-+	admin_pattern($1, ganesha_var_run_t)
-+
-+	ganesha_systemctl($1)
-+	admin_pattern($1, ganesha_unit_file_t)
-+	allow $1 ganesha_unit_file_t:service all_service_perms;
-+	optional_policy(`
-+		systemd_passwd_agent_exec($1)
-+		systemd_read_fifo_file_passwd_run($1)
-+	')
-+')
-diff --git a/ganesha.te b/ganesha.te
-new file mode 100644
-index 000000000..f25a3f34d
--- /dev/null
-+++ b/ganesha.te
-@@ -0,0 +1,111 @@
-+policy_module(ganesha, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+## <desc>
-+## <p>
-+## Allow ganesha to read/write fuse files
-+## </p>
-+## </desc>
-+gen_tunable(ganesha_use_fusefs, false)
-+
-+type ganesha_t;
-+type ganesha_exec_t;
-+init_daemon_domain(ganesha_t, ganesha_exec_t)
-+
-+type ganesha_var_log_t;
-+logging_log_file(ganesha_var_log_t)
-+
-+type ganesha_var_run_t;
-+files_pid_file(ganesha_var_run_t)
-+
-+type ganesha_tmp_t;
-+files_tmp_file(ganesha_tmp_t)
-+
-+type ganesha_unit_file_t;
-+systemd_unit_file(ganesha_unit_file_t)
-+
-+########################################
-+#
-+# ganesha local policy
-+#
-+dontaudit ganesha_t self:capability net_admin;
-+
-+allow ganesha_t self:capability { dac_read_search dac_override };
-+allow ganesha_t self:capability2 block_suspend;
-+allow ganesha_t self:process { setcap setrlimit };
-+allow ganesha_t self:fifo_file rw_fifo_file_perms;
-+allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
-+allow ganesha_t self:tcp_socket { accept listen };
-+
-+manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
-+manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
-+manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
-+files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file })
-+
-+manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
-+manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
-+logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
-+
-+manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
-+manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
-+files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir })
-+
-+kernel_read_system_state(ganesha_t)
-+kernel_search_network_sysctl(ganesha_t)
-+kernel_read_net_sysctls(ganesha_t)
-+
-+auth_use_nsswitch(ganesha_t)
-+
-+corenet_tcp_bind_nfs_port(ganesha_t)
-+corenet_tcp_connect_generic_port(ganesha_t)
-+corenet_tcp_connect_gluster_port(ganesha_t)
-+corenet_udp_bind_dey_keyneg_port(ganesha_t)
-+corenet_tcp_bind_dey_keyneg_port(ganesha_t)
-+corenet_udp_bind_nfs_port(ganesha_t)
-+corenet_udp_bind_all_rpc_ports(ganesha_t)
-+corenet_tcp_bind_all_rpc_ports(ganesha_t)
-+corenet_tcp_bind_mountd_port(ganesha_t)
-+corenet_udp_bind_mountd_port(ganesha_t)
-+corenet_tcp_connect_virt_migration_port(ganesha_t)
-+corenet_tcp_connect_all_rpc_ports(ganesha_t)
-+
-+dev_rw_infiniband_dev(ganesha_t)
-+dev_read_gpfs(ganesha_t)
-+dev_read_rand(ganesha_t)
-+
-+logging_send_syslog_msg(ganesha_t)
-+
-+sysnet_dns_name_resolve(ganesha_t)
-+
-+optional_policy(`
-+	dbus_system_bus_client(ganesha_t)
-+	dbus_connect_system_bus(ganesha_t)
-+    unconfined_dbus_chat(ganesha_t)
-+')
-+
-+optional_policy(`
-+    glusterd_read_conf(ganesha_t)
-+    glusterd_read_lib_files(ganesha_t)
-+    glusterd_manage_pid(ganesha_t)
-+')
-+
-+optional_policy(`
-+    kerberos_read_keytab(ganesha_t)
-+')
-+
-+optional_policy(`
-+	rpc_manage_nfs_state_data_dir(ganesha_t)
-+    rpc_read_nfs_state_data(ganesha_t)
-+	rpcbind_stream_connect(ganesha_t)
-+')
-+
-+tunable_policy(`ganesha_use_fusefs',`
-+    fs_manage_fusefs_dirs(ganesha_t)
-+    fs_manage_fusefs_files(ganesha_t)
-+    fs_read_fusefs_symlinks(ganesha_t)
-+    fs_getattr_fusefs(ganesha_t)
-+')
 diff --git a/gatekeeper.te b/gatekeeper.te
 index 28203689c..88c98f481 100644
 --- a/gatekeeper.te
@ -33565,10 +33277,10 @@ index 5cd09096a..bd3c3d21b 100644
 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
 diff --git a/glusterd.fc b/glusterd.fc
 new file mode 100644
-index 000000000..9806f50ae
+index 000000000..e42e81f5f
 --- /dev/null
 +++ b/glusterd.fc
-@@ -0,0 +1,25 @@
+@@ -0,0 +1,30 @@
 +/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 +
 +/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
@ -33594,12 +33306,17 @@ index 000000000..9806f50ae
 +/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 +/var/run/glusterd.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 +/var/run/glusterd.*	-s	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+
+/var/log/ganesha(/.*)?      gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/ganesha.log	--	gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/ganesha-gfapi.log	--	gen_context(system_u:object_r:glusterd_log_t,s0)
+
 diff --git a/glusterd.if b/glusterd.if
 new file mode 100644
-index 000000000..450146018
+index 000000000..291191f17
 --- /dev/null
 +++ b/glusterd.if
-@@ -0,0 +1,302 @@
+@@ -0,0 +1,301 @@
 +
 +## <summary>policy for glusterd</summary>
 +
@ -33901,13 +33618,12 @@ index 000000000..450146018
 +	admin_pattern($1, glusterd_conf_t)
 +
 +')
-+
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 000000000..7eeb7b0c0
+index 000000000..ffa5ab9b3
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,331 @@
+@@ -0,0 +1,328 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@ -33974,6 +33690,8 @@ index 000000000..7eeb7b0c0
 +type glusterd_brick_t;
 +files_type(glusterd_brick_t)
 +
+typealias glusterd_log_t alias ganesha_var_log_t;
+
 +########################################
 +#
 +# Local policy
@ -34177,11 +33895,6 @@ index 000000000..7eeb7b0c0
 +')
 +
 +optional_policy(`
-+    ganesha_systemctl(glusterd_t)
-+    ganesha_dbus_chat(glusterd_t)
-+')
-+
-+optional_policy(`
 +    hostname_exec(glusterd_t)
 +')
 +
@ -34221,8 +33934,8 @@ index 000000000..7eeb7b0c0
 +optional_policy(`
 +    rpc_systemctl_nfsd(glusterd_t)
 +    rpc_systemctl_rpcd(glusterd_t)
-+
 +    rpc_domtrans_nfsd(glusterd_t)
+    rpc_dbus_chat_nfsd(glusterd_t)
 +    rpc_domtrans_rpcd(glusterd_t)
 +    rpc_manage_nfs_state_data(glusterd_t)
 +	rpc_manage_nfs_state_data_dir(glusterd_t)
@ -90565,7 +90278,7 @@ index c8bdea28d..96da15f8a 100644
 +	logging_log_named_filetrans($1, var_log_t, dir, "bundles")
 ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c449..5c0bfd05d 100644
+index 6cf79c449..63c113978 100644
 --- a/rhcs.te
 +++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@ -90804,7 +90517,7 @@ index 6cf79c449..5c0bfd05d 100644
 +')
 +
 +optional_policy(`
-+    ganesha_dbus_chat(cluster_t)
+    rpc_dbus_chat_nfsd(cluster_t)
 +')
 +
 +optional_policy(`
@ -93361,11 +93074,18 @@ index ccb5991ed..fa10c5a2d 100644
 
 optional_policy(`
 diff --git a/rpc.fc b/rpc.fc
-index a6fb30cb3..97ef313df 100644
+index a6fb30cb3..e11f3a0f3 100644
 --- a/rpc.fc
 +++ b/rpc.fc
-@@ -1,12 +1,25 @@
+@@ -1,12 +1,31 @@
 -/etc/exports	--	gen_context(system_u:object_r:exports_t,s0)
+ 
+-/etc/rc\.d/init\.d/nfs	--	gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/nfslock	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/rpcidmapd	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+ 
+-/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
+-/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 +#
 +# /etc
 +#
@ -93374,16 +93094,15 @@ index a6fb30cb3..97ef313df 100644
 +/etc/rc\.d/init\.d/nfslock --	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/rpcidmapd --	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
 
-/etc/rc\.d/init\.d/nfs	--	gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nfslock	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/rpcidmapd	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
 +/usr/lib/systemd/system/nfs.* 		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)
 +/usr/lib/systemd/system/rpc.* 		--	gen_context(system_u:object_r:rpcd_unit_file_t,s0)
- 
-/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
-/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha-config.*		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/usr/lib/systemd/system/nfs-ganesha-lock.*		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/usr/lib/systemd/system/nfs-ganesha.*e		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+
 +/usr/lib/systemd/system-generators/nfs.* 		--	gen_context(system_u:object_r:nfsd_exec_t,s0)
- 
+
 +#
 +# /sbin
 +#
@ -93396,24 +93115,27 @@ index a6fb30cb3..97ef313df 100644
 /usr/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
-@@ -16,7 +29,13 @@
+@@ -16,7 +35,16 @@
 /usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
 /usr/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 
 -/var/lib/nfs(/.*)?	gen_context(system_u:object_r:var_lib_nfs_t,s0)
+/usr/bin/ganesha\.nfsd		--	gen_context(system_u:object_r:nfsd_exec_t,s0)
+
 +#
 +# /var
 +#
 +/var/lib/nfs(/.*)?		gen_context(system_u:object_r:var_lib_nfs_t,s0)
 
 +/var/run/sm-notify.*		gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/ganesha.*		gen_context(system_u:object_r:rpcd_var_run_t,s0)
 /var/run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 -/var/run/rpc\.statd\.pid	--	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 +/var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 +/var/run/rpc\.statd\.lock --	gen_context(system_u:object_r:rpcd_lock_t,s0)
 +
 diff --git a/rpc.if b/rpc.if
-index 0bf13c220..79a2a9c48 100644
+index 0bf13c220..2ee527f2a 100644
 --- a/rpc.if
 +++ b/rpc.if
@@ -1,4 +1,4 @@
@ -93750,11 +93472,10 @@ index 0bf13c220..79a2a9c48 100644
 +
 +	files_search_var_lib($1)
 +	allow $1 var_lib_nfs_t:dir list_dir_perms;
- ')
- 
- ########################################
- ## <summary>
-##	Read nfs lib files.
+')
+
+########################################
+## <summary>
 +##	Manage NFS state data in /var/lib/nfs.
 +## </summary>
 +## <param name="domain">
@ -93770,10 +93491,11 @@ index 0bf13c220..79a2a9c48 100644
 +
 +	files_search_var_lib($1)
 +	allow $1 var_lib_nfs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read nfs lib files.
 +##	Read NFS state data in /var/lib/nfs.
 ## </summary>
 ## <param name="domain">
@ -93868,7 +93590,7 @@ index 0bf13c220..79a2a9c48 100644
 	')
 
 	allow $1 rpc_domain:process { ptrace signal_perms };
-@@ -411,10 +505,28 @@ interface(`rpc_admin',`
+@@ -411,10 +505,49 @@ interface(`rpc_admin',`
 	admin_pattern($1, rpcd_var_run_t)
 
 	files_list_all($1)
@ -93898,8 +93620,29 @@ index 0bf13c220..79a2a9c48 100644
 +
 +    allow $1 gssd_t:process { noatsecure rlimitinh };
 +')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	ganesha over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_dbus_chat_nfsd',`
+	gen_require(`
+		type nfsd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 nfsd_t:dbus send_msg;
+	allow nfsd_t $1:dbus send_msg;
+')
 diff --git a/rpc.te b/rpc.te
-index 2da9fca2f..c8afd1e50 100644
+index 2da9fca2f..f06eb2732 100644
 --- a/rpc.te
 +++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@ -93942,7 +93685,7 @@ index 2da9fca2f..c8afd1e50 100644
 
 attribute rpc_domain;
 
-@@ -39,21 +44,26 @@ files_tmp_file(gssd_tmp_t)
+@@ -39,25 +44,36 @@ files_tmp_file(gssd_tmp_t)
 type rpcd_var_run_t;
 files_pid_file(rpcd_var_run_t)
 
@ -93974,7 +93717,17 @@ index 2da9fca2f..c8afd1e50 100644
 
 type var_lib_nfs_t;
 files_mountpoint(var_lib_nfs_t)
-@@ -71,7 +81,6 @@ allow rpc_domain self:tcp_socket { accept listen };
+ 
+type nfsd_tmp_t;
+files_tmp_file(nfsd_tmp_t)
+
+typealias nfsd_exec_t alias ganesha_exec_t;
+typealias nfsd_unit_file_t alias ganesha_unit_file_t;
+
+ ########################################
+ #
+ # Common rpc domain local policy
+@@ -71,7 +87,6 @@ allow rpc_domain self:tcp_socket { accept listen };
 manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
 manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
 
@ -93982,7 +93735,7 @@ index 2da9fca2f..c8afd1e50 100644
 kernel_read_kernel_sysctls(rpc_domain)
 kernel_rw_rpc_sysctls(rpc_domain)
 
-@@ -79,8 +88,6 @@ dev_read_sysfs(rpc_domain)
+@@ -79,8 +94,6 @@ dev_read_sysfs(rpc_domain)
 dev_read_urand(rpc_domain)
 dev_read_rand(rpc_domain)
 
@ -93991,7 +93744,7 @@ index 2da9fca2f..c8afd1e50 100644
 corenet_tcp_sendrecv_generic_if(rpc_domain)
 corenet_udp_sendrecv_generic_if(rpc_domain)
 corenet_tcp_sendrecv_generic_node(rpc_domain)
-@@ -108,41 +115,48 @@ files_read_etc_runtime_files(rpc_domain)
+@@ -108,41 +121,48 @@ files_read_etc_runtime_files(rpc_domain)
 files_read_usr_files(rpc_domain)
 files_list_home(rpc_domain)
 
@ -94049,7 +93802,7 @@ index 2da9fca2f..c8afd1e50 100644
 kernel_read_sysctl(rpcd_t)
 kernel_rw_fs_sysctls(rpcd_t)
 kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -163,13 +177,21 @@ fs_getattr_all_fs(rpcd_t)
+@@ -163,13 +183,21 @@ fs_getattr_all_fs(rpcd_t)
 
 storage_getattr_fixed_disk_dev(rpcd_t)
 
@ -94073,7 +93826,7 @@ index 2da9fca2f..c8afd1e50 100644
 
 ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(rpcd_t)
-@@ -181,19 +203,27 @@ optional_policy(`
+@@ -181,19 +209,27 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -94104,17 +93857,26 @@ index 2da9fca2f..c8afd1e50 100644
 ')
 
 ########################################
-@@ -201,42 +231,66 @@ optional_policy(`
+@@ -201,42 +237,75 @@ optional_policy(`
 # NFSD local policy
 #
 
 -allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
-+allow nfsd_t self:capability {  dac_read_search sys_admin sys_resource };
+allow nfsd_t self:capability {  dac_read_search dac_override sys_admin sys_resource };
 +dontaudit nfsd_t self:capability sys_rawio;
+
+allow nfsd_t self:process { setcap };
 
 allow nfsd_t exports_t:file read_file_perms;
 -allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 
+manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
+manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
+files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir })
+
+manage_files_pattern(nfsd_t, rpcd_var_run_t, rpcd_var_run_t)
+files_pid_filetrans(nfsd_t, rpcd_var_run_t, { file })
+
 +# for /proc/fs/nfs/exports - should we have a new type?
 +kernel_read_system_state(nfsd_t)
 kernel_read_network_state(nfsd_t)
@ -94126,10 +93888,10 @@ index 2da9fca2f..c8afd1e50 100644
 +kernel_mounton_proc(nfsd_t)
 +kernel_rw_rpc_sysctls_dirs(nfsd_t)
 +kernel_create_rpc_sysctls(nfsd_t)
+
+corecmd_exec_shell(nfsd_t)
 
 -corenet_sendrecv_nfs_server_packets(nfsd_t)
-+corecmd_exec_shell(nfsd_t)
-+
 +corenet_tcp_bind_all_rpc_ports(nfsd_t)
 +corenet_udp_bind_all_rpc_ports(nfsd_t)
 corenet_tcp_bind_nfs_port(nfsd_t)
@ -94182,7 +93944,7 @@ index 2da9fca2f..c8afd1e50 100644
 	miscfiles_manage_public_files(nfsd_t)
 ')
 
-@@ -245,7 +299,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +314,6 @@ tunable_policy(`nfs_export_all_rw',`
 	dev_getattr_all_chr_files(nfsd_t)
 
 	fs_read_noxattr_fs_files(nfsd_t)
@ -94190,13 +93952,22 @@ index 2da9fca2f..c8afd1e50 100644
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +310,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +325,21 @@ tunable_policy(`nfs_export_all_ro',`
 
 	fs_read_noxattr_fs_files(nfsd_t)
 
 -	files_list_non_auth_dirs(nfsd_t)
 -	files_read_non_auth_files(nfsd_t)
 +	files_read_non_security_files(nfsd_t)
+')
+
+optional_policy(`
+    glusterd_manage_log(nfsd_t)
+    glusterd_manage_pid(nfsd_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(nfsd_t)
 ')
 
 optional_policy(`
@ -94205,7 +93976,7 @@ index 2da9fca2f..c8afd1e50 100644
 ')
 
 ########################################
-@@ -270,7 +323,7 @@ optional_policy(`
+@@ -270,7 +347,7 @@ optional_policy(`
 # GSSD local policy
 #
 
@ -94214,7 +93985,7 @@ index 2da9fca2f..c8afd1e50 100644
 allow gssd_t self:process { getsched setsched };
 allow gssd_t self:fifo_file rw_fifo_file_perms;
 
-@@ -280,6 +333,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +357,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
@ -94222,7 +93993,7 @@ index 2da9fca2f..c8afd1e50 100644
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)
 kernel_request_load_module(gssd_t)
-@@ -288,25 +342,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +366,31 @@ kernel_signal(gssd_t)
 
 corecmd_exec_bin(gssd_t)
 
@ -94257,7 +94028,7 @@ index 2da9fca2f..c8afd1e50 100644
 ')
 
 optional_policy(`
-@@ -314,9 +374,12 @@ optional_policy(`
+@@ -314,9 +398,12 @@ optional_policy(`
 ')
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 304%{?dist}
+Release: 305%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -717,6 +717,9 @@ exit 0
 %endif

 %changelog
+* Fri Nov 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-305
+- Make ganesha nfs server
+
 * Tue Nov 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-304
 - Add interface raid_relabel_mdadm_var_run_content()
 - Fix iscsi SELinux module