[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Jason Zaman Sun, 21 Mar 2021 15:11:09 -0700

commit:     6280fcf010aa38352561da281652c8ab9f35bf6a
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Sun Feb 14 03:58:00 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 21 21:38:23 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6280fcf0


blkmapd

Patch for the blkmapd daemon that's part of the NFS server.

I think this is ready for mergikng.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/rpc.fc |  2 ++
 policy/modules/services/rpc.te | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
index 6d3c9b68..88d2acaf 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
@@ -16,6 +16,7 @@
 /usr/lib/systemd/system/nfs.*\.service --   
gen_context(system_u:object_r:nfsd_unit_t,s0)
 /usr/lib/systemd/system/rpc.*\.service --   
gen_context(system_u:object_r:rpcd_unit_t,s0)
 
+/usr/sbin/blkmapd      --      gen_context(system_u:object_r:blkmapd_exec_t,s0)
 /usr/sbin/rpc\..*      --      gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.idmapd  --      gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.gssd    --      gen_context(system_u:object_r:gssd_exec_t,s0)
@@ -27,6 +28,7 @@
 
 /var/lib/nfs(/.*)?     gen_context(system_u:object_r:var_lib_nfs_t,s0)
 
+/run/blkmapd\.pid      --      gen_context(system_u:object_r:rpcd_runtime_t,s0)
 /run/rpc\.statd(/.*)?  gen_context(system_u:object_r:rpcd_runtime_t,s0)
 /run/rpc\.statd\.pid   --      gen_context(system_u:object_r:rpcd_runtime_t,s0)
 /run/sm-notify\.pid    --      gen_context(system_u:object_r:rpcd_runtime_t,s0)

diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 8059b10c..5cacb381 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -72,6 +72,14 @@ init_unit_file(nfsd_unit_t)
 type var_lib_nfs_t;
 files_mountpoint(var_lib_nfs_t)
 
+rpc_domain_template(blkmapd)
+
+type blkmapd_runtime_t;
+files_runtime_file(blkmapd_runtime_t)
+files_runtime_filetrans(blkmapd_t, blkmapd_runtime_t, file, "blkmapd.pid")
+allow blkmapd_t blkmapd_runtime_t:file manage_file_perms;
+
+
 ########################################
 #
 # Common rpc domain local policy
@@ -280,6 +288,17 @@ optional_policy(`
        mount_exec(nfsd_t)
 ')
 
+########################################
+#
+# BLKMAPD local policy
+#
+
+allow blkmapd_t self:capability sys_rawio;
+allow blkmapd_t self:unix_dgram_socket create_socket_perms;
+
+fs_list_rpc(blkmapd_t)
+storage_raw_read_fixed_disk(blkmapd_t)
+
 ########################################
 #
 # GSSD local policy

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Reply via email to