Subject: [PATCH] allow nfsd to exec shell commands.

Upstream-Status: Inappropriate [only for Poky]

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
 policy/modules/contrib/rpc.te   |    7 +++++++
 policy/modules/kernel/kernel.if |   18 ++++++++++++++++++
 2 files changed, 25 insertions(+), 0 deletions(-)

diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 330d01f..fde39d2 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -120,6 +120,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 kernel_read_system_state(nfsd_t)
 kernel_read_network_state(nfsd_t)
 kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_setsched(nfsd_t)
+kernel_request_load_module(nfsd_t)
+kernel_mounton_proc(nfsd_t)
+
+corecmd_exec_shell(nfsd_t)
 
 corenet_tcp_bind_all_rpc_ports(nfsd_t)
 corenet_udp_bind_all_rpc_ports(nfsd_t)
@@ -174,6 +179,8 @@ tunable_policy(`nfs_export_all_ro',`
 	files_read_non_auth_files(nfsd_t)
 ')
 
+mount_exec(nfsd_t)
+
 ########################################
 #
 # GSSD local policy
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 4bf45cb..25e7b1b 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -785,6 +785,24 @@ interface(`kernel_unmount_proc',`
 
 ########################################
 ## <summary>
+##	Mounton a proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mounton_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the proc filesystem.
 ## </summary>
 ## <param name="domain">
-- 
1.7.5.4