rpc: allow rpc.mountd to list/watch NFS server directory

Fixes:
avc: denied { read } for pid=484 comm="rpc.mountd" name="clients"
dev="nfsd" ino=22 scontext=system_u:system_r:nfsd_t
tcontext=system_u:object_r:nfsd_fs_t tclass=dir permissive=0

avc: denied { watch } for pid=487 comm="rpc.mountd"
path="/proc/fs/nfsd/clients" dev="nfsd" ino=22
scontext=system_u:system_r:nfsd_t tcontext=system_u:object_r:nfsd_fs_t
tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
Yi Zhao 2021-09-26 14:36:00 +08:00
parent 7ae40510fd
commit db42fb615e
2 changed files with 20 additions and 0 deletions

View File

@ -3758,6 +3758,24 @@ interface(`fs_list_nfsd_fs',`
allow $1 nfsd_fs_t:dir list_dir_perms;
')
########################################
## <summary>
## Watch NFS server directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_watch_nfsd_dirs',`
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:dir watch;
')
########################################
## <summary>
## Getattr files on an nfsd filesystem

View File

@ -329,6 +329,8 @@ files_manage_mounttab(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
fs_getattr_all_dirs(nfsd_t)
fs_list_nfsd_fs(nfsd_t)
fs_watch_nfsd_dirs(nfsd_t)
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)