Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.

Upstream-Status: Pending

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
 policy/modules/contrib/rpc.te       |    6 +++++-
 policy/modules/contrib/rpcbind.te   |    5 +++++
 policy/modules/kernel/filesystem.te |    1 +
 policy/modules/kernel/kernel.te     |    1 +
 4 files changed, 12 insertions(+), 1 deletions(-)

diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index fde39d2..0fc7ddd 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -179,7 +179,11 @@ tunable_policy(`nfs_export_all_ro',`
 	files_read_non_auth_files(nfsd_t)
 ')
 
-mount_exec(nfsd_t)
+# Should domtrans to mount_t while mounting nfsd_fs_t.
+mount_domtrans(nfsd_t)
+# nfsd_t need to chdir to /var/lib/nfs and read files.
+files_list_var(nfsd_t)
+rpc_read_nfs_state_data(nfsd_t)
 
 ########################################
 #
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index a63e9ee..55397d9 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -67,3 +67,8 @@ logging_send_syslog_msg(rpcbind_t)
 miscfiles_read_localization(rpcbind_t)
 
 sysnet_dns_name_resolve(rpcbind_t)
+
+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
+# because the are running in different level. So add rules to allow this.
+mls_socket_read_all_levels(rpcbind_t)
+mls_socket_write_all_levels(rpcbind_t)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 376bae8..310d992 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -118,6 +118,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
 
 type nfsd_fs_t;
 fs_type(nfsd_fs_t)
+files_mountpoint(nfsd_fs_t)
 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
 
 type oprofilefs_t;
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index ab9b6cd..15d3814 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -284,6 +284,8 @@ mls_process_read_up(kernel_t)
 mls_process_write_down(kernel_t)
 mls_file_write_all_levels(kernel_t)
 mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_use_all_levels(kernel_t)
 
 ifdef(`distro_redhat',`
 	# Bugzilla 222337
-- 
1.7.5.4