selinux-refpolicy/policy/modules/services/zfs.te

policy_module(zfs)

########################################
#
# Declarations
#

attribute_role zfs_roles;

type zed_t;
type zed_exec_t;
init_daemon_domain(zed_t, zed_exec_t)
role zfs_roles types zed_t;

type zfs_t;
type zfs_exec_t;
init_system_domain(zfs_t, zfs_exec_t)
role zfs_roles types zfs_t;

type zfs_config_t;
files_config_file(zfs_config_t)

type zfs_zpool_cache_t;
files_config_file(zfs_zpool_cache_t)

type zfs_runtime_t;
files_runtime_file(zfs_runtime_t)

########################################
#
# zed local policy
#

allow zed_t self:process signal;
allow zed_t self:capability sys_admin;
dontaudit zed_t self:capability net_admin;
allow zed_t self:fifo_file rw_fifo_file_perms;
allow zed_t self:unix_dgram_socket create_socket_perms;
allow zed_t self:netlink_kobject_uevent_socket create_socket_perms;

domtrans_pattern(zed_t, zfs_exec_t, zfs_t)

list_dirs_pattern(zed_t, zfs_config_t, zfs_config_t)
read_files_pattern(zed_t, zfs_config_t, zfs_config_t)
read_lnk_files_pattern(zed_t, zfs_config_t, zfs_config_t)

manage_files_pattern(zed_t, zfs_runtime_t, zfs_runtime_t)
files_runtime_filetrans(zed_t, zfs_runtime_t, file)

# to execute scripts in /usr/libexec/zfs
corecmd_exec_bin(zed_t)
corecmd_exec_shell(zed_t)

dev_rw_sysfs(zed_t)

files_search_etc(zed_t)

kernel_read_system_state(zed_t)
kernel_read_vm_overcommit_sysctl(zed_t)

storage_raw_rw_fixed_disk(zed_t)

auth_use_nsswitch(zed_t)

hostname_exec(zed_t)

logging_send_syslog_msg(zed_t)

miscfiles_read_localization(zed_t)

udev_search_runtime(zed_t)

zfs_rw_zpool_cache(zed_t)

optional_policy(`
	# for managing /etc/exports.d/zfs.exports
	rpc_create_exports(zed_t)
	rpc_write_exports(zed_t)
')

########################################
#
# zfs local policy
#

allow zfs_t self:process { getsched signal signull };
allow zfs_t self:capability { sys_admin sys_rawio };
allow zfs_t self:fifo_file rw_fifo_file_perms;

list_dirs_pattern(zfs_t, zfs_config_t, zfs_config_t)
read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)

manage_dirs_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)
manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)
files_runtime_filetrans(zfs_t, zfs_runtime_t, { dir file })

# to execute scripts in /usr/libexec/zfs
corecmd_exec_bin(zfs_t)
corecmd_exec_shell(zfs_t)

dev_delete_generic_symlinks(zfs_t)
dev_getattr_sysfs(zfs_t)
dev_read_sysfs(zfs_t)

domain_use_interactive_fds(zfs_t)

files_getattr_all_dirs(zfs_t)
files_mounton_all_mountpoints(zfs_t)
files_search_etc(zfs_t)

fs_getattr_xattr_fs(zfs_t)
fs_mount_xattr_fs(zfs_t)
fs_unmount_xattr_fs(zfs_t)
fs_remount_xattr_fs(zfs_t)
fs_relabelfrom_xattr_fs(zfs_t)
fs_ioctl_cgroup_dirs(zfs_t)
fs_rw_nfsd_fs(zfs_t)

kernel_read_fs_sysctls(zfs_t)
kernel_read_kernel_sysctls(zfs_t)
kernel_read_system_state(zfs_t)

storage_raw_rw_fixed_disk(zfs_t)

udev_read_runtime_files(zfs_t)

miscfiles_read_localization(zfs_t)

auth_use_nsswitch(zfs_t)

mount_exec(zfs_t)

userdom_use_user_terminals(zfs_t)

zfs_rw_zpool_cache(zfs_t)

optional_policy(`
	fstools_manage_runtime_files(zfs_t)
	fstools_runtime_filetrans(zfs_t, dir, "blkid")
')

optional_policy(`
	kernel_rw_rpc_sysctls(zfs_t)

	rpc_manage_nfs_state_data(zfs_t)
	rpc_list_exports(zfs_t)
	rpc_create_exports(zfs_t)
	rpc_read_exports(zfs_t)
	rpc_write_exports(zfs_t)
')

#######################################
#
# Mail local policy
#

optional_policy(`
	mta_base_mail_template(zed)
	role system_r types zed_mail_t;

	allow zed_mail_t zed_t:fd use;
	allow zed_mail_t zed_t:fifo_file rw_fifo_file_perms;
	allow zed_mail_t zed_t:process sigchld;

	manage_dirs_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)
	manage_files_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)
	files_tmp_filetrans(zed_t, zed_mail_tmp_t, { dir file })

	allow zfs_t zed_mail_tmp_t:file write_file_perms;

	mta_sendmail_domtrans(zed_t, zed_mail_t)

	allow zed_mail_t self:capability { dac_override dac_read_search };

	storage_dontaudit_read_fixed_disk(zed_mail_t)
	storage_dontaudit_write_fixed_disk(zed_mail_t)
')