policy_module(zfs,1.27)

require {
    type tmpfs_t;
    type var_lib_nfs_t;
    type net_conf_t;
    type nfsd_fs_t;
    type insmod_exec_t;
    type insmod_t;
    type samba_net_exec_t;
    type samba_net_t;
    type mount_t;
    type mount_exec_t;
}

# This file context is needed for the ZFS control device
type zfs_device_t;
dev_node(zfs_device_t);

# This file context is for executables that need to talk to
# the control device
type zfs_t;
type zfs_exec_t;
init_daemon_domain(zfs_t, zfs_exec_t)

type zfs_initrc_exec_t;
init_script_file(zfs_initrc_exec_t)

# ================= zfs_t ===============

# Allow access to the ZFS control device
allow zfs_t zfs_device_t:chr_file { read write ioctl open };
allow mount_t zfs_device_t:chr_file { read write ioctl open };

# Allow NFS sharing
allow zfs_t var_lib_nfs_t:dir { search remove_name write add_name };
allow zfs_t var_lib_nfs_t:file { write rename unlink read lock create open getattr };
allow zfs_t nfsd_fs_t:file { read open };
allow mount_t net_conf_t:file unlink;
allow mount_t tmpfs_t:dir { remove_name add_name };
allow mount_t tmpfs_t:file { create unlink };

# This allows the zfs tools to load the ZFS kernel module by transitioning
# the modprobe tools to the right context
type_transition zfs_t insmod_exec_t: process insmod_t;
allow zfs_t insmod_t: process transition;
allow zfs_t insmod_exec_t: file { read execute getattr };

# This allows the zfs tools to add SMB shares by transitioning the SMB
# tools to the right context
type_transition zfs_t samba_net_exec_t: process samba_net_t;
allow zfs_t samba_net_t: process transition;
allow zfs_t samba_net_exec_t: file { read execute getattr };

# This allows the zfs tools to mount file systems by transitioning
# the mount command to the right context
type_transition zfs_t mount_exec_t: process mount_t;
allow zfs_t mount_t: process transition;
allow zfs_t mount_exec_t: file { read execute getattr };