rpc: allow rpc.mountd to list/watch NFS server directory
Fixes: avc: denied { read } for pid=484 comm="rpc.mountd" name="clients" dev="nfsd" ino=22 scontext=system_u:system_r:nfsd_t tcontext=system_u:object_r:nfsd_fs_t tclass=dir permissive=0 avc: denied { watch } for pid=487 comm="rpc.mountd" path="/proc/fs/nfsd/clients" dev="nfsd" ino=22 scontext=system_u:system_r:nfsd_t tcontext=system_u:object_r:nfsd_fs_t tclass=dir permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
parent
7ae40510fd
commit
db42fb615e
|
@ -3758,6 +3758,24 @@ interface(`fs_list_nfsd_fs',`
|
|||
allow $1 nfsd_fs_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Watch NFS server directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_watch_nfsd_dirs',`
|
||||
gen_require(`
|
||||
type nfsd_fs_t;
|
||||
')
|
||||
|
||||
allow $1 nfsd_fs_t:dir watch;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Getattr files on an nfsd filesystem
|
||||
|
|
|
@ -329,6 +329,8 @@ files_manage_mounttab(nfsd_t)
|
|||
fs_mount_nfsd_fs(nfsd_t)
|
||||
fs_getattr_all_fs(nfsd_t)
|
||||
fs_getattr_all_dirs(nfsd_t)
|
||||
fs_list_nfsd_fs(nfsd_t)
|
||||
fs_watch_nfsd_dirs(nfsd_t)
|
||||
fs_rw_nfsd_fs(nfsd_t)
|
||||
|
||||
storage_dontaudit_read_fixed_disk(nfsd_t)
|
||||
|
|
Loading…
Reference in New Issue