1 policy_module(zfs,1.27)
10 type samba_net_exec_t;
16 # This file context is needed for the ZFS control device
18 dev_node(zfs_device_t);
20 # This file context is for executables that need to talk to
24 init_daemon_domain(zfs_t, zfs_exec_t)
26 type zfs_initrc_exec_t;
27 init_script_file(zfs_initrc_exec_t)
29 # ================= zfs_t ===============
31 # Allow access to the ZFS control device
32 allow zfs_t zfs_device_t:chr_file { read write ioctl open };
33 allow mount_t zfs_device_t:chr_file { read write ioctl open };
36 allow zfs_t var_lib_nfs_t:dir { search remove_name write add_name };
37 allow zfs_t var_lib_nfs_t:file { write rename unlink read lock create open getattr };
38 allow zfs_t nfsd_fs_t:file { read open };
39 allow mount_t net_conf_t:file unlink;
40 allow mount_t tmpfs_t:dir { remove_name add_name };
41 allow mount_t tmpfs_t:file { create unlink };
43 # This allows the zfs tools to load the ZFS kernel module by transitioning
44 # the modprobe tools to the right context
45 type_transition zfs_t insmod_exec_t: process insmod_t;
46 allow zfs_t insmod_t: process transition;
47 allow zfs_t insmod_exec_t: file { read execute getattr };
49 # This allows the zfs tools to add SMB shares by transitioning the SMB
50 # tools to the right context
51 type_transition zfs_t samba_net_exec_t: process samba_net_t;
52 allow zfs_t samba_net_t: process transition;
53 allow zfs_t samba_net_exec_t: file { read execute getattr };
55 # This allows the zfs tools to mount file systems by transitioning
56 # the mount command to the right context
57 type_transition zfs_t mount_exec_t: process mount_t;
58 allow zfs_t mount_t: process transition;
59 allow zfs_t mount_exec_t: file { read execute getattr };
git://git.camperquake.de / selinux.git / blob