blob: f1fcc4c510f5204eef77fd61dc26d87721acaf3b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
Subject: [PATCH] allow nfsd to exec shell commands.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/contrib/rpc.te | 7 +++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
2 files changed, 25 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 330d01f..fde39d2 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -120,6 +120,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_setsched(nfsd_t)
+kernel_request_load_module(nfsd_t)
+kernel_mounton_proc(nfsd_t)
+
+corecmd_exec_shell(nfsd_t)
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
@@ -174,6 +179,8 @@ tunable_policy(`nfs_export_all_ro',`
files_read_non_auth_files(nfsd_t)
')
+mount_exec(nfsd_t)
+
########################################
#
# GSSD local policy
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 4bf45cb..25e7b1b 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -785,6 +785,24 @@ interface(`kernel_unmount_proc',`
########################################
## <summary>
+## Mounton a proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mounton_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
--
1.7.5.4
|