zed: allow managing /etc/exports.d/zfs.exports

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2025-03-11 07:40:18 +00:00 · 2023-12-18 12:17:20 -05:00 · 2023-12-18 12:17:20 -05:00 · 838ff87b62
commit 838ff87b62
parent b74dbb649e
2 changed files with 24 additions and 0 deletions
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@ -87,6 +87,24 @@ interface(`rpc_read_exports',`
 	allow $1 exports_t:file read_file_perms;
 ')

+########################################
+## <summary>
+##	Create export files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_create_exports',`
+	gen_require(`
+		type exports_t;
+	')
+
+	create_files_pattern($1, exports_t, exports_t)
+')
+
 ########################################
 ## <summary>
 ##	Write export files.
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@ -71,6 +71,12 @@ udev_search_runtime(zed_t)

 zfs_rw_zpool_cache(zed_t)

+optional_policy(`
+	# for managing /etc/exports.d/zfs.exports
+	rpc_create_exports(zed_t)
+	rpc_write_exports(zed_t)
+')
+
 ########################################
 #
 # zfs local policy