121 lines
2.5 KiB
Plaintext
121 lines
2.5 KiB
Plaintext
policy_module(zfs)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute_role zfs_roles;
|
|
|
|
type zed_t;
|
|
type zed_exec_t;
|
|
init_daemon_domain(zed_t, zed_exec_t)
|
|
role zfs_roles types zed_t;
|
|
|
|
type zfs_t;
|
|
type zfs_exec_t;
|
|
init_system_domain(zfs_t, zfs_exec_t)
|
|
role zfs_roles types zfs_t;
|
|
|
|
type zfs_config_t;
|
|
files_config_file(zfs_config_t)
|
|
|
|
type zfs_zpool_cache_t;
|
|
files_config_file(zfs_zpool_cache_t)
|
|
|
|
type zfs_runtime_t;
|
|
files_runtime_file(zfs_runtime_t)
|
|
|
|
########################################
|
|
#
|
|
# zed local policy
|
|
#
|
|
|
|
allow zed_t self:process signal;
|
|
allow zed_t self:capability sys_admin;
|
|
allow zed_t self:fifo_file rw_fifo_file_perms;
|
|
allow zed_t self:unix_dgram_socket create_socket_perms;
|
|
allow zed_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
domtrans_pattern(zed_t, zfs_exec_t, zfs_t)
|
|
|
|
list_dirs_pattern(zed_t, zfs_config_t, zfs_config_t)
|
|
read_files_pattern(zed_t, zfs_config_t, zfs_config_t)
|
|
read_lnk_files_pattern(zed_t, zfs_config_t, zfs_config_t)
|
|
|
|
manage_files_pattern(zed_t, zfs_runtime_t, zfs_runtime_t)
|
|
files_runtime_filetrans(zed_t, zfs_runtime_t, file)
|
|
|
|
# to execute scripts in /usr/libexec/zfs
|
|
corecmd_exec_bin(zed_t)
|
|
corecmd_exec_shell(zed_t)
|
|
|
|
dev_read_sysfs(zed_t)
|
|
|
|
files_search_etc(zed_t)
|
|
|
|
kernel_read_vm_overcommit_sysctl(zed_t)
|
|
|
|
storage_raw_rw_fixed_disk(zed_t)
|
|
|
|
auth_use_nsswitch(zed_t)
|
|
|
|
logging_send_syslog_msg(zed_t)
|
|
|
|
miscfiles_read_localization(zed_t)
|
|
|
|
udev_search_runtime(zed_t)
|
|
|
|
########################################
|
|
#
|
|
# zfs local policy
|
|
#
|
|
|
|
allow zfs_t self:process getsched;
|
|
allow zfs_t self:capability sys_admin;
|
|
allow zfs_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
list_dirs_pattern(zfs_t, zfs_config_t, zfs_config_t)
|
|
read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
|
|
read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
|
|
|
|
# to execute scripts in /usr/libexec/zfs
|
|
corecmd_exec_bin(zfs_t)
|
|
corecmd_exec_shell(zfs_t)
|
|
|
|
dev_read_sysfs(zfs_t)
|
|
|
|
domain_use_interactive_fds(zfs_t)
|
|
|
|
files_getattr_all_dirs(zfs_t)
|
|
files_mounton_all_mountpoints(zfs_t)
|
|
files_search_etc(zfs_t)
|
|
|
|
fs_getattr_xattr_fs(zfs_t)
|
|
fs_mount_xattr_fs(zfs_t)
|
|
fs_unmount_xattr_fs(zfs_t)
|
|
fs_remount_xattr_fs(zfs_t)
|
|
fs_relabelfrom_xattr_fs(zfs_t)
|
|
fs_ioctl_cgroup_dirs(zfs_t)
|
|
fs_rw_nfsd_fs(zfs_t)
|
|
|
|
kernel_read_fs_sysctls(zfs_t)
|
|
kernel_read_kernel_sysctls(zfs_t)
|
|
|
|
storage_raw_rw_fixed_disk(zfs_t)
|
|
|
|
miscfiles_read_localization(zfs_t)
|
|
|
|
auth_use_nsswitch(zfs_t)
|
|
|
|
mount_exec(zfs_t)
|
|
|
|
userdom_use_user_terminals(zfs_t)
|
|
|
|
optional_policy(`
|
|
kernel_rw_rpc_sysctls(zfs_t)
|
|
|
|
rpc_manage_nfs_state_data(zfs_t)
|
|
rpc_read_exports(zfs_t)
|
|
')
|