commit: c9c22b083349a39d29ab0e530e9a4545fe7e7708
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Sep 19 23:06:34 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov 2 14:07:03 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9c22b08
zfs: various fixes
Minor fixes for ZFS, including allowing Zed to use sendmail and write
LED statuses to enclosure devices.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/zfs.te | 47 +++++++++++++++++++++++++++++++++++++++---
1 file changed, 44 insertions(+), 3 deletions(-)
diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index 05e0d3e5f..519295e96 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -50,39 +50,49 @@ files_runtime_filetrans(zed_t, zfs_runtime_t, file)
corecmd_exec_bin(zed_t)
corecmd_exec_shell(zed_t)
-dev_read_sysfs(zed_t)
+dev_rw_sysfs(zed_t)
files_search_etc(zed_t)
+kernel_read_system_state(zed_t)
kernel_read_vm_overcommit_sysctl(zed_t)
storage_raw_rw_fixed_disk(zed_t)
auth_use_nsswitch(zed_t)
+hostname_exec(zed_t)
+
logging_send_syslog_msg(zed_t)
miscfiles_read_localization(zed_t)
udev_search_runtime(zed_t)
+zfs_rw_zpool_cache(zed_t)
+
########################################
#
# zfs local policy
#
-allow zfs_t self:process getsched;
-allow zfs_t self:capability sys_admin;
+allow zfs_t self:process { getsched signull };
+allow zfs_t self:capability { sys_admin sys_rawio };
allow zfs_t self:fifo_file rw_fifo_file_perms;
list_dirs_pattern(zfs_t, zfs_config_t, zfs_config_t)
read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
+manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)
+files_runtime_filetrans(zfs_t, zfs_runtime_t, file)
+
# to execute scripts in /usr/libexec/zfs
corecmd_exec_bin(zfs_t)
corecmd_exec_shell(zfs_t)
+dev_delete_generic_symlinks(zfs_t)
+dev_getattr_sysfs(zfs_t)
dev_read_sysfs(zfs_t)
domain_use_interactive_fds(zfs_t)
@@ -104,6 +114,8 @@ kernel_read_kernel_sysctls(zfs_t)
storage_raw_rw_fixed_disk(zfs_t)
+udev_read_runtime_files(zfs_t)
+
miscfiles_read_localization(zfs_t)
auth_use_nsswitch(zfs_t)
@@ -112,9 +124,38 @@ mount_exec(zfs_t)
userdom_use_user_terminals(zfs_t)
+zfs_rw_zpool_cache(zfs_t)
+
optional_policy(`
kernel_rw_rpc_sysctls(zfs_t)
rpc_manage_nfs_state_data(zfs_t)
rpc_read_exports(zfs_t)
')
+
+#######################################
+#
+# Mail local policy
+#
+
+optional_policy(`
+ mta_base_mail_template(zed)
+ role system_r types zed_mail_t;
+
+ allow zed_mail_t zed_t:fd use;
+ allow zed_mail_t zed_t:fifo_file rw_fifo_file_perms;
+ allow zed_mail_t zed_t:process sigchld;
+
+ manage_dirs_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)
+ manage_files_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)
+ files_tmp_filetrans(zed_t, zed_mail_tmp_t, { dir file })
+
+ allow zfs_t zed_mail_tmp_t:file write_file_perms;
+
+ mta_sendmail_domtrans(zed_t, zed_mail_t)
+
+ allow zed_mail_t self:capability { dac_override dac_read_search };
+
+ storage_dontaudit_read_fixed_disk(zed_mail_t)
+ storage_dontaudit_write_fixed_disk(zed_mail_t)
+')
