zfs: allow zfs to write to exports

Needed by zfs-mount.service. type=PROCTITLE msg=audit(1705092131.987:49): proctitle=2F7362696E2F7A6673007368617265002D61 type=SYSCALL msg=audit(1705092131.987:49): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=665f44189eba a2=80042 a3=180 items=0 ppid=1 pid=3082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="zfs" exe="/usr/bin/zfs" subj=system_u:system_r:zfs_t:s0 key=(null) type=AVC msg=audit(1705092131.987:49): avc: denied { write } for pid=3082 comm="zfs" name="zfs.exports.lock" dev="dm-0" ino=1296 scontext=system_u:system_r:zfs_t:s0 tcontext=system_u:object_r:exports_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-01-12 17:06:33 -05:00 · 2024-01-12 17:06:33 -05:00 · fbbed63769
commit fbbed63769
parent 8ef4c98c77
2 changed files with 21 additions and 0 deletions
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@ -50,6 +50,24 @@ template(`rpc_domain_template',`
 	auth_use_nsswitch($1_t)
 ')

+########################################
+## <summary>
+##	List export files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_list_exports',`
+	gen_require(`
+		type exports_t;
+	')
+
+	allow $1 exports_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@ -144,7 +144,10 @@ optional_policy(`
 	kernel_rw_rpc_sysctls(zfs_t)

 	rpc_manage_nfs_state_data(zfs_t)
+	rpc_list_exports(zfs_t)
+	rpc_create_exports(zfs_t)
 	rpc_read_exports(zfs_t)
+	rpc_write_exports(zfs_t)
 ')

 #######################################