diff --git a/container-selinux.tgz b/container-selinux.tgz index f1a0fe3..4927c34 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index b1dd7bd..0b8dd19 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3854,6 +3854,13 @@ index 759016583..1b9a61d18 100644 +tunable_policy(`use_fusefs_home_dirs',` + fs_mounton_fusefs(seunshare_domain) ') +diff --git a/policy/modules/contrib b/policy/modules/contrib +index 298b88741..b35f071ea 160000 +--- a/policy/modules/contrib ++++ b/policy/modules/contrib +@@ -1 +1 @@ +-Subproject commit 298b887411b663a7da40a7a465915a7352bac80d ++Subproject commit b35f071eace9e06117f78cdda3dd6692388dff6f diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 33e0f8dad..6fd767031 100644 --- a/policy/modules/kernel/corecommands.fc diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index de01743..72de4e2 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -31970,294 +31970,6 @@ index e5b15fb7e..220622e84 100644 allow games_t self:process execmem; ') -diff --git a/ganesha.fc b/ganesha.fc -new file mode 100644 -index 000000000..c723bfb97 ---- /dev/null -+++ b/ganesha.fc -@@ -0,0 +1,12 @@ -+/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:ganesha_exec_t,s0) -+ -+/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) -+ -+/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) -+ -+/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) -+ -+/var/log/ganesha.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0) -+/var/log/ganesha-gfapi.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0) -+ -+/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0) -diff --git a/ganesha.if b/ganesha.if -new file mode 100644 -index 000000000..d9ba5fa27 ---- /dev/null -+++ b/ganesha.if -@@ -0,0 +1,147 @@ -+ -+## policy for ganesha -+ -+######################################## -+## -+## Execute ganesha_exec_t in the ganesha domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ganesha_domtrans',` -+ gen_require(` -+ type ganesha_t, ganesha_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, ganesha_exec_t, ganesha_t) -+') -+ -+###################################### -+## -+## Execute ganesha in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ganesha_exec',` -+ gen_require(` -+ type ganesha_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, ganesha_exec_t) -+') -+######################################## -+## -+## Read ganesha PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ganesha_read_pid_files',` -+ gen_require(` -+ type ganesha_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t) -+') -+ -+######################################## -+## -+## Execute ganesha server in the ganesha domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ganesha_systemctl',` -+ gen_require(` -+ type ganesha_t; -+ type ganesha_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 ganesha_unit_file_t:file read_file_perms; -+ allow $1 ganesha_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, ganesha_t) -+') -+ -+ -+######################################## -+## -+## Send and receive messages from -+## ganesha over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ganesha_dbus_chat',` -+ gen_require(` -+ type ganesha_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 ganesha_t:dbus send_msg; -+ allow ganesha_t $1:dbus send_msg; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an ganesha environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`ganesha_admin',` -+ gen_require(` -+ type ganesha_t; -+ type ganesha_var_run_t; -+ type ganesha_unit_file_t; -+ ') -+ -+ allow $1 ganesha_t:process { signal_perms }; -+ ps_process_pattern($1, ganesha_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ganesha_t:process ptrace; -+ ') -+ -+ files_search_pids($1) -+ admin_pattern($1, ganesha_var_run_t) -+ -+ ganesha_systemctl($1) -+ admin_pattern($1, ganesha_unit_file_t) -+ allow $1 ganesha_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/ganesha.te b/ganesha.te -new file mode 100644 -index 000000000..f25a3f34d ---- /dev/null -+++ b/ganesha.te -@@ -0,0 +1,111 @@ -+policy_module(ganesha, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

-+## Allow ganesha to read/write fuse files -+##

-+##
-+gen_tunable(ganesha_use_fusefs, false) -+ -+type ganesha_t; -+type ganesha_exec_t; -+init_daemon_domain(ganesha_t, ganesha_exec_t) -+ -+type ganesha_var_log_t; -+logging_log_file(ganesha_var_log_t) -+ -+type ganesha_var_run_t; -+files_pid_file(ganesha_var_run_t) -+ -+type ganesha_tmp_t; -+files_tmp_file(ganesha_tmp_t) -+ -+type ganesha_unit_file_t; -+systemd_unit_file(ganesha_unit_file_t) -+ -+######################################## -+# -+# ganesha local policy -+# -+dontaudit ganesha_t self:capability net_admin; -+ -+allow ganesha_t self:capability { dac_read_search dac_override }; -+allow ganesha_t self:capability2 block_suspend; -+allow ganesha_t self:process { setcap setrlimit }; -+allow ganesha_t self:fifo_file rw_fifo_file_perms; -+allow ganesha_t self:unix_stream_socket create_stream_socket_perms; -+allow ganesha_t self:tcp_socket { accept listen }; -+ -+manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t) -+manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t) -+manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t) -+files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t) -+manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t) -+logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir }) -+ -+manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t) -+manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t) -+files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir }) -+ -+kernel_read_system_state(ganesha_t) -+kernel_search_network_sysctl(ganesha_t) -+kernel_read_net_sysctls(ganesha_t) -+ -+auth_use_nsswitch(ganesha_t) -+ -+corenet_tcp_bind_nfs_port(ganesha_t) -+corenet_tcp_connect_generic_port(ganesha_t) -+corenet_tcp_connect_gluster_port(ganesha_t) -+corenet_udp_bind_dey_keyneg_port(ganesha_t) -+corenet_tcp_bind_dey_keyneg_port(ganesha_t) -+corenet_udp_bind_nfs_port(ganesha_t) -+corenet_udp_bind_all_rpc_ports(ganesha_t) -+corenet_tcp_bind_all_rpc_ports(ganesha_t) -+corenet_tcp_bind_mountd_port(ganesha_t) -+corenet_udp_bind_mountd_port(ganesha_t) -+corenet_tcp_connect_virt_migration_port(ganesha_t) -+corenet_tcp_connect_all_rpc_ports(ganesha_t) -+ -+dev_rw_infiniband_dev(ganesha_t) -+dev_read_gpfs(ganesha_t) -+dev_read_rand(ganesha_t) -+ -+logging_send_syslog_msg(ganesha_t) -+ -+sysnet_dns_name_resolve(ganesha_t) -+ -+optional_policy(` -+ dbus_system_bus_client(ganesha_t) -+ dbus_connect_system_bus(ganesha_t) -+ unconfined_dbus_chat(ganesha_t) -+') -+ -+optional_policy(` -+ glusterd_read_conf(ganesha_t) -+ glusterd_read_lib_files(ganesha_t) -+ glusterd_manage_pid(ganesha_t) -+') -+ -+optional_policy(` -+ kerberos_read_keytab(ganesha_t) -+') -+ -+optional_policy(` -+ rpc_manage_nfs_state_data_dir(ganesha_t) -+ rpc_read_nfs_state_data(ganesha_t) -+ rpcbind_stream_connect(ganesha_t) -+') -+ -+tunable_policy(`ganesha_use_fusefs',` -+ fs_manage_fusefs_dirs(ganesha_t) -+ fs_manage_fusefs_files(ganesha_t) -+ fs_read_fusefs_symlinks(ganesha_t) -+ fs_getattr_fusefs(ganesha_t) -+') diff --git a/gatekeeper.te b/gatekeeper.te index 28203689c..88c98f481 100644 --- a/gatekeeper.te @@ -33565,10 +33277,10 @@ index 5cd09096a..bd3c3d21b 100644 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t) diff --git a/glusterd.fc b/glusterd.fc new file mode 100644 -index 000000000..9806f50ae +index 000000000..e42e81f5f --- /dev/null +++ b/glusterd.fc -@@ -0,0 +1,25 @@ +@@ -0,0 +1,30 @@ +/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) + +/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) @@ -33594,12 +33306,17 @@ index 000000000..9806f50ae +/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) ++ ++/var/log/ganesha(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) ++/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0) ++/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:glusterd_log_t,s0) ++ diff --git a/glusterd.if b/glusterd.if new file mode 100644 -index 000000000..450146018 +index 000000000..291191f17 --- /dev/null +++ b/glusterd.if -@@ -0,0 +1,302 @@ +@@ -0,0 +1,301 @@ + +## policy for glusterd + @@ -33901,13 +33618,12 @@ index 000000000..450146018 + admin_pattern($1, glusterd_conf_t) + +') -+ diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 000000000..7eeb7b0c0 +index 000000000..ffa5ab9b3 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,331 @@ +@@ -0,0 +1,328 @@ +policy_module(glusterd, 1.1.3) + +## @@ -33974,6 +33690,8 @@ index 000000000..7eeb7b0c0 +type glusterd_brick_t; +files_type(glusterd_brick_t) + ++typealias glusterd_log_t alias ganesha_var_log_t; ++ +######################################## +# +# Local policy @@ -34177,11 +33895,6 @@ index 000000000..7eeb7b0c0 +') + +optional_policy(` -+ ganesha_systemctl(glusterd_t) -+ ganesha_dbus_chat(glusterd_t) -+') -+ -+optional_policy(` + hostname_exec(glusterd_t) +') + @@ -34221,8 +33934,8 @@ index 000000000..7eeb7b0c0 +optional_policy(` + rpc_systemctl_nfsd(glusterd_t) + rpc_systemctl_rpcd(glusterd_t) -+ + rpc_domtrans_nfsd(glusterd_t) ++ rpc_dbus_chat_nfsd(glusterd_t) + rpc_domtrans_rpcd(glusterd_t) + rpc_manage_nfs_state_data(glusterd_t) + rpc_manage_nfs_state_data_dir(glusterd_t) @@ -90565,7 +90278,7 @@ index c8bdea28d..96da15f8a 100644 + logging_log_named_filetrans($1, var_log_t, dir, "bundles") ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c449..5c0bfd05d 100644 +index 6cf79c449..63c113978 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -90804,7 +90517,7 @@ index 6cf79c449..5c0bfd05d 100644 +') + +optional_policy(` -+ ganesha_dbus_chat(cluster_t) ++ rpc_dbus_chat_nfsd(cluster_t) +') + +optional_policy(` @@ -93361,11 +93074,18 @@ index ccb5991ed..fa10c5a2d 100644 optional_policy(` diff --git a/rpc.fc b/rpc.fc -index a6fb30cb3..97ef313df 100644 +index a6fb30cb3..e11f3a0f3 100644 --- a/rpc.fc +++ b/rpc.fc -@@ -1,12 +1,25 @@ +@@ -1,12 +1,31 @@ -/etc/exports -- gen_context(system_u:object_r:exports_t,s0) + +-/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) + +-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) +-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) +# +# /etc +# @@ -93374,16 +93094,15 @@ index a6fb30cb3..97ef313df 100644 +/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) --/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) --/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) --/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) +/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) +/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) - --/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) --/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) ++ ++/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) ++/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) ++/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) ++ +/usr/lib/systemd/system-generators/nfs.* -- gen_context(system_u:object_r:nfsd_exec_t,s0) - ++ +# +# /sbin +# @@ -93396,24 +93115,27 @@ index a6fb30cb3..97ef313df 100644 /usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) -@@ -16,7 +29,13 @@ +@@ -16,7 +35,16 @@ /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) ++/usr/bin/ganesha\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) ++ +# +# /var +# +/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) +/var/run/sm-notify.* gen_context(system_u:object_r:rpcd_var_run_t,s0) ++/var/run/ganesha.* gen_context(system_u:object_r:rpcd_var_run_t,s0) /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) -/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) +/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) +/var/run/rpc\.statd\.lock -- gen_context(system_u:object_r:rpcd_lock_t,s0) + diff --git a/rpc.if b/rpc.if -index 0bf13c220..79a2a9c48 100644 +index 0bf13c220..2ee527f2a 100644 --- a/rpc.if +++ b/rpc.if @@ -1,4 +1,4 @@ @@ -93750,11 +93472,10 @@ index 0bf13c220..79a2a9c48 100644 + + files_search_var_lib($1) + allow $1 var_lib_nfs_t:dir list_dir_perms; - ') - - ######################################## - ## --## Read nfs lib files. ++') ++ ++######################################## ++## +## Manage NFS state data in /var/lib/nfs. +## +## @@ -93770,10 +93491,11 @@ index 0bf13c220..79a2a9c48 100644 + + files_search_var_lib($1) + allow $1 var_lib_nfs_t:dir manage_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read nfs lib files. +## Read NFS state data in /var/lib/nfs. ## ## @@ -93868,7 +93590,7 @@ index 0bf13c220..79a2a9c48 100644 ') allow $1 rpc_domain:process { ptrace signal_perms }; -@@ -411,10 +505,28 @@ interface(`rpc_admin',` +@@ -411,10 +505,49 @@ interface(`rpc_admin',` admin_pattern($1, rpcd_var_run_t) files_list_all($1) @@ -93898,8 +93620,29 @@ index 0bf13c220..79a2a9c48 100644 + + allow $1 gssd_t:process { noatsecure rlimitinh }; +') ++ ++######################################## ++## ++## Send and receive messages from ++## ganesha over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpc_dbus_chat_nfsd',` ++ gen_require(` ++ type nfsd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 nfsd_t:dbus send_msg; ++ allow nfsd_t $1:dbus send_msg; ++') diff --git a/rpc.te b/rpc.te -index 2da9fca2f..c8afd1e50 100644 +index 2da9fca2f..f06eb2732 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -93942,7 +93685,7 @@ index 2da9fca2f..c8afd1e50 100644 attribute rpc_domain; -@@ -39,21 +44,26 @@ files_tmp_file(gssd_tmp_t) +@@ -39,25 +44,36 @@ files_tmp_file(gssd_tmp_t) type rpcd_var_run_t; files_pid_file(rpcd_var_run_t) @@ -93974,7 +93717,17 @@ index 2da9fca2f..c8afd1e50 100644 type var_lib_nfs_t; files_mountpoint(var_lib_nfs_t) -@@ -71,7 +81,6 @@ allow rpc_domain self:tcp_socket { accept listen }; + ++type nfsd_tmp_t; ++files_tmp_file(nfsd_tmp_t) ++ ++typealias nfsd_exec_t alias ganesha_exec_t; ++typealias nfsd_unit_file_t alias ganesha_unit_file_t; ++ + ######################################## + # + # Common rpc domain local policy +@@ -71,7 +87,6 @@ allow rpc_domain self:tcp_socket { accept listen }; manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) @@ -93982,7 +93735,7 @@ index 2da9fca2f..c8afd1e50 100644 kernel_read_kernel_sysctls(rpc_domain) kernel_rw_rpc_sysctls(rpc_domain) -@@ -79,8 +88,6 @@ dev_read_sysfs(rpc_domain) +@@ -79,8 +94,6 @@ dev_read_sysfs(rpc_domain) dev_read_urand(rpc_domain) dev_read_rand(rpc_domain) @@ -93991,7 +93744,7 @@ index 2da9fca2f..c8afd1e50 100644 corenet_tcp_sendrecv_generic_if(rpc_domain) corenet_udp_sendrecv_generic_if(rpc_domain) corenet_tcp_sendrecv_generic_node(rpc_domain) -@@ -108,41 +115,48 @@ files_read_etc_runtime_files(rpc_domain) +@@ -108,41 +121,48 @@ files_read_etc_runtime_files(rpc_domain) files_read_usr_files(rpc_domain) files_list_home(rpc_domain) @@ -94049,7 +93802,7 @@ index 2da9fca2f..c8afd1e50 100644 kernel_read_sysctl(rpcd_t) kernel_rw_fs_sysctls(rpcd_t) kernel_dontaudit_getattr_core_if(rpcd_t) -@@ -163,13 +177,21 @@ fs_getattr_all_fs(rpcd_t) +@@ -163,13 +183,21 @@ fs_getattr_all_fs(rpcd_t) storage_getattr_fixed_disk_dev(rpcd_t) @@ -94073,7 +93826,7 @@ index 2da9fca2f..c8afd1e50 100644 ifdef(`distro_debian',` term_dontaudit_use_unallocated_ttys(rpcd_t) -@@ -181,19 +203,27 @@ optional_policy(` +@@ -181,19 +209,27 @@ optional_policy(` ') optional_policy(` @@ -94104,17 +93857,26 @@ index 2da9fca2f..c8afd1e50 100644 ') ######################################## -@@ -201,42 +231,66 @@ optional_policy(` +@@ -201,42 +237,75 @@ optional_policy(` # NFSD local policy # -allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; -+allow nfsd_t self:capability { dac_read_search sys_admin sys_resource }; ++allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_resource }; +dontaudit nfsd_t self:capability sys_rawio; ++ ++allow nfsd_t self:process { setcap }; allow nfsd_t exports_t:file read_file_perms; -allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; ++manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t) ++manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t) ++files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir }) ++ ++manage_files_pattern(nfsd_t, rpcd_var_run_t, rpcd_var_run_t) ++files_pid_filetrans(nfsd_t, rpcd_var_run_t, { file }) ++ +# for /proc/fs/nfs/exports - should we have a new type? +kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) @@ -94126,10 +93888,10 @@ index 2da9fca2f..c8afd1e50 100644 +kernel_mounton_proc(nfsd_t) +kernel_rw_rpc_sysctls_dirs(nfsd_t) +kernel_create_rpc_sysctls(nfsd_t) ++ ++corecmd_exec_shell(nfsd_t) -corenet_sendrecv_nfs_server_packets(nfsd_t) -+corecmd_exec_shell(nfsd_t) -+ +corenet_tcp_bind_all_rpc_ports(nfsd_t) +corenet_udp_bind_all_rpc_ports(nfsd_t) corenet_tcp_bind_nfs_port(nfsd_t) @@ -94182,7 +93944,7 @@ index 2da9fca2f..c8afd1e50 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +299,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -245,7 +314,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -94190,13 +93952,22 @@ index 2da9fca2f..c8afd1e50 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +310,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -257,12 +325,21 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) - files_list_non_auth_dirs(nfsd_t) - files_read_non_auth_files(nfsd_t) + files_read_non_security_files(nfsd_t) ++') ++ ++optional_policy(` ++ glusterd_manage_log(nfsd_t) ++ glusterd_manage_pid(nfsd_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(nfsd_t) ') optional_policy(` @@ -94205,7 +93976,7 @@ index 2da9fca2f..c8afd1e50 100644 ') ######################################## -@@ -270,7 +323,7 @@ optional_policy(` +@@ -270,7 +347,7 @@ optional_policy(` # GSSD local policy # @@ -94214,7 +93985,7 @@ index 2da9fca2f..c8afd1e50 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -280,6 +333,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -280,6 +357,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -94222,7 +93993,7 @@ index 2da9fca2f..c8afd1e50 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +342,31 @@ kernel_signal(gssd_t) +@@ -288,25 +366,31 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -94257,7 +94028,7 @@ index 2da9fca2f..c8afd1e50 100644 ') optional_policy(` -@@ -314,9 +374,12 @@ optional_policy(` +@@ -314,9 +398,12 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index b26ba55..0fbaeed 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 304%{?dist} +Release: 305%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -717,6 +717,9 @@ exit 0 %endif %changelog +* Fri Nov 24 2017 Lukas Vrabec - 3.13.1-305 +- Make ganesha nfs server + * Tue Nov 21 2017 Lukas Vrabec - 3.13.1-304 - Add interface raid_relabel_mdadm_var_run_content() - Fix iscsi SELinux module