From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Fri, 23 Aug 2013 12:01:53 +0800 Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t. Upstream-Status: Pending Signed-off-by: Xin Ouyang Signed-off-by: Joe MacDonald --- policy/modules/contrib/rpc.te | 5 +++++ policy/modules/contrib/rpcbind.te | 5 +++++ policy/modules/kernel/filesystem.te | 1 + policy/modules/kernel/kernel.te | 2 ++ 4 files changed, 13 insertions(+) --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -263,6 +263,11 @@ tunable_policy(`nfs_export_all_ro',` optional_policy(` mount_exec(nfsd_t) + # Should domtrans to mount_t while mounting nfsd_fs_t. + mount_domtrans(nfsd_t) + # nfsd_t need to chdir to /var/lib/nfs and read files. + files_list_var(nfsd_t) + rpc_read_nfs_state_data(nfsd_t) ') ######################################## --- a/policy/modules/contrib/rpcbind.te +++ b/policy/modules/contrib/rpcbind.te @@ -70,6 +70,11 @@ logging_send_syslog_msg(rpcbind_t) miscfiles_read_localization(rpcbind_t) +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, +# because the are running in different level. So add rules to allow this. +mls_socket_read_all_levels(rpcbind_t) +mls_socket_write_all_levels(rpcbind_t) + ifdef(`distro_debian',` term_dontaudit_use_unallocated_ttys(rpcbind_t) ') --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:obj type nfsd_fs_t; fs_type(nfsd_fs_t) +files_mountpoint(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) type oprofilefs_t; --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -293,6 +293,8 @@ mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) +mls_socket_write_all_levels(kernel_t) +mls_fd_use_all_levels(kernel_t) ifdef(`distro_redhat',` # Bugzilla 222337