From f24c277f622d1ae72275525c6d5863f1ddce1d58 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 12:01:53 +0800
Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount
 nfsd_fs_t.

Upstream-Status: Pending

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
 policy/modules/kernel/filesystem.te | 1 +
 policy/modules/kernel/kernel.te     | 2 ++
 policy/modules/services/rpc.te      | 5 +++++
 policy/modules/services/rpcbind.te  | 5 +++++
 4 files changed, 13 insertions(+)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 41037951..b341ba83 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
 
 type nfsd_fs_t;
 fs_type(nfsd_fs_t)
+files_mountpoint(nfsd_fs_t)
 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
 
 type nsfs_t;
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8e958074..7b81c732 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t)
 mls_process_write_all_levels(kernel_t)
 mls_file_write_all_levels(kernel_t)
 mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_use_all_levels(kernel_t)
 
 ifdef(`distro_redhat',`
 	# Bugzilla 222337
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index d4209231..a2327b44 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',`
 
 optional_policy(`
 	mount_exec(nfsd_t)
+	# Should domtrans to mount_t while mounting nfsd_fs_t.
+	mount_domtrans(nfsd_t)
+	# nfsd_t need to chdir to /var/lib/nfs and read files.
+	files_list_var(nfsd_t)
+	rpc_read_nfs_state_data(nfsd_t)
 ')
 
 ########################################
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index 5914af99..2055c114 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t)
 
 miscfiles_read_localization(rpcbind_t)
 
+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
+# because the are running in different level. So add rules to allow this.
+mls_socket_read_all_levels(rpcbind_t)
+mls_socket_write_all_levels(rpcbind_t)
+
 ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(rpcbind_t)
 ')
-- 
2.19.1