From db42fb615ec28ddb7823dbb6ea2394e54931c72e Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Sun, 26 Sep 2021 14:36:00 +0800
Subject: [PATCH] rpc: allow rpc.mountd to list/watch NFS server directory

Fixes:
avc: denied { read } for pid=484 comm="rpc.mountd" name="clients"
dev="nfsd" ino=22 scontext=system_u:system_r:nfsd_t
tcontext=system_u:object_r:nfsd_fs_t tclass=dir permissive=0

avc: denied { watch } for pid=487 comm="rpc.mountd"
path="/proc/fs/nfsd/clients" dev="nfsd" ino=22
scontext=system_u:system_r:nfsd_t tcontext=system_u:object_r:nfsd_fs_t
tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
 policy/modules/services/rpc.te      |  2 ++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 9ec2e354b..076610021 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3758,6 +3758,24 @@ interface(`fs_list_nfsd_fs',`
 	allow $1 nfsd_fs_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Watch NFS server directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_watch_nfsd_dirs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Getattr files on an nfsd filesystem
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 4dae82a1e..ff36d4d51 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -329,6 +329,8 @@ files_manage_mounttab(nfsd_t)
 fs_mount_nfsd_fs(nfsd_t)
 fs_getattr_all_fs(nfsd_t)
 fs_getattr_all_dirs(nfsd_t)
+fs_list_nfsd_fs(nfsd_t)
+fs_watch_nfsd_dirs(nfsd_t)
 fs_rw_nfsd_fs(nfsd_t)
 
 storage_dontaudit_read_fixed_disk(nfsd_t)