--- /dev/null
+policy_module(zfs,1.27)
+
+require {
+ type tmpfs_t;
+ type var_lib_nfs_t;
+ type net_conf_t;
+ type nfsd_fs_t;
+ type insmod_exec_t;
+ type insmod_t;
+ type samba_net_exec_t;
+ type samba_net_t;
+ type mount_t;
+ type mount_exec_t;
+}
+
+# This file context is needed for the ZFS control device
+type zfs_device_t;
+dev_node(zfs_device_t);
+
+# This file context is for executables that need to talk to
+# the control device
+type zfs_t;
+type zfs_exec_t;
+init_daemon_domain(zfs_t, zfs_exec_t)
+
+type zfs_initrc_exec_t;
+init_script_file(zfs_initrc_exec_t)
+
+# ================= zfs_t ===============
+
+# Allow access to the ZFS control device
+allow zfs_t zfs_device_t:chr_file { read write ioctl open };
+allow mount_t zfs_device_t:chr_file { read write ioctl open };
+
+# Allow NFS sharing
+allow zfs_t var_lib_nfs_t:dir { search remove_name write add_name };
+allow zfs_t var_lib_nfs_t:file { write rename unlink read lock create open getattr };
+allow zfs_t nfsd_fs_t:file { read open };
+allow mount_t net_conf_t:file unlink;
+allow mount_t tmpfs_t:dir { remove_name add_name };
+allow mount_t tmpfs_t:file { create unlink };
+
+# This allows the zfs tools to load the ZFS kernel module by transitioning
+# the modprobe tools to the right context
+type_transition zfs_t insmod_exec_t: process insmod_t;
+allow zfs_t insmod_t: process transition;
+allow zfs_t insmod_exec_t: file { read execute getattr };
+
+# This allows the zfs tools to add SMB shares by transitioning the SMB
+# tools to the right context
+type_transition zfs_t samba_net_exec_t: process samba_net_t;
+allow zfs_t samba_net_t: process transition;
+allow zfs_t samba_net_exec_t: file { read execute getattr };
+
+# This allows the zfs tools to mount file systems by transitioning
+# the mount command to the right context
+type_transition zfs_t mount_exec_t: process mount_t;
+allow zfs_t mount_t: process transition;
+allow zfs_t mount_exec_t: file { read execute getattr };
git://git.camperquake.de / selinux.git / commitdiff