From: Ralf Ertzinger <ralf@skytale.net>
Date: Sun, 19 Jan 2014 13:12:06 +0000 (+0100)
Subject: Add ZFS policy
X-Git-Url: https://git.camperquake.de/gitweb.cgi?p=selinux.git;a=commitdiff_plain;h=8443aec4d42c93b0aa92243f1eaf106bddc03b18

Add ZFS policy
---

diff --git a/zfs/zfs.fc b/zfs/zfs.fc
new file mode 100644
index 0000000..3f16e5d
--- /dev/null
+++ b/zfs/zfs.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/zfs   --     gen_context(system_u:object_r:zfs_initrc_exec_t,s0)
+/usr/sbin/((zpool)|(zfs)) --      gen_context(system_u:object_r:zfs_exec_t,s0)
+/dev/zfs                -c gen_context(system_u:object_r:zfs_device_t,s0)
diff --git a/zfs/zfs.if b/zfs/zfs.if
new file mode 100644
index 0000000..3eb6a30
--- /dev/null
+++ b/zfs/zfs.if
@@ -0,0 +1 @@
+## <summary></summary>
diff --git a/zfs/zfs.te b/zfs/zfs.te
new file mode 100644
index 0000000..1a53eee
--- /dev/null
+++ b/zfs/zfs.te
@@ -0,0 +1,59 @@
+policy_module(zfs,1.27)
+
+require {
+    type tmpfs_t;
+    type var_lib_nfs_t;
+    type net_conf_t;
+    type nfsd_fs_t;
+    type insmod_exec_t;
+    type insmod_t;
+    type samba_net_exec_t;
+    type samba_net_t;
+    type mount_t;
+    type mount_exec_t;
+}
+
+# This file context is needed for the ZFS control device
+type zfs_device_t;
+dev_node(zfs_device_t);
+
+# This file context is for executables that need to talk to
+# the control device
+type zfs_t;
+type zfs_exec_t;
+init_daemon_domain(zfs_t, zfs_exec_t)
+
+type zfs_initrc_exec_t;
+init_script_file(zfs_initrc_exec_t)
+
+# ================= zfs_t ===============
+
+# Allow access to the ZFS control device
+allow zfs_t zfs_device_t:chr_file { read write ioctl open };
+allow mount_t zfs_device_t:chr_file { read write ioctl open };
+
+# Allow NFS sharing
+allow zfs_t var_lib_nfs_t:dir { search remove_name write add_name };
+allow zfs_t var_lib_nfs_t:file { write rename unlink read lock create open getattr };
+allow zfs_t nfsd_fs_t:file { read open };
+allow mount_t net_conf_t:file unlink;
+allow mount_t tmpfs_t:dir { remove_name add_name };
+allow mount_t tmpfs_t:file { create unlink };
+
+# This allows the zfs tools to load the ZFS kernel module by transitioning
+# the modprobe tools to the right context
+type_transition zfs_t insmod_exec_t: process insmod_t;
+allow zfs_t insmod_t: process transition;
+allow zfs_t insmod_exec_t: file { read execute getattr };
+
+# This allows the zfs tools to add SMB shares by transitioning the SMB
+# tools to the right context
+type_transition zfs_t samba_net_exec_t: process samba_net_t;
+allow zfs_t samba_net_t: process transition;
+allow zfs_t samba_net_exec_t: file { read execute getattr };
+
+# This allows the zfs tools to mount file systems by transitioning
+# the mount command to the right context
+type_transition zfs_t mount_exec_t: process mount_t;
+allow zfs_t mount_t: process transition;
+allow zfs_t mount_exec_t: file { read execute getattr };