From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DAD56158020 for ; Wed, 2 Nov 2022 14:42:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A4863E0A07; Wed, 2 Nov 2022 14:42:55 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 89F9EE09D0 for ; Wed, 2 Nov 2022 14:42:55 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C481E341009 for ; Wed, 2 Nov 2022 14:42:54 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id AB9446E9 for ; Wed, 2 Nov 2022 14:42:51 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1667398023.c9c22b083349a39d29ab0e530e9a4545fe7e7708.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/zfs.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: c9c22b083349a39d29ab0e530e9a4545fe7e7708 X-VCS-Branch: master Date: Wed, 2 Nov 2022 14:42:51 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: b15d3e55-f236-4a12-adb5-07690b79e56d X-Archives-Hash: e852b7750d4ba416a80982c81e72c419 commit: c9c22b083349a39d29ab0e530e9a4545fe7e7708 Author: Kenton Groombridge concord sh> AuthorDate: Mon Sep 19 23:06:34 2022 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Wed Nov 2 14:07:03 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9c22b08 zfs: various fixes Minor fixes for ZFS, including allowing Zed to use sendmail and write LED statuses to enclosure devices. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/zfs.te | 47 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 3 deletions(-) diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te index 05e0d3e5f..519295e96 100644 --- a/policy/modules/services/zfs.te +++ b/policy/modules/services/zfs.te @@ -50,39 +50,49 @@ files_runtime_filetrans(zed_t, zfs_runtime_t, file) corecmd_exec_bin(zed_t) corecmd_exec_shell(zed_t) -dev_read_sysfs(zed_t) +dev_rw_sysfs(zed_t) files_search_etc(zed_t) +kernel_read_system_state(zed_t) kernel_read_vm_overcommit_sysctl(zed_t) storage_raw_rw_fixed_disk(zed_t) auth_use_nsswitch(zed_t) +hostname_exec(zed_t) + logging_send_syslog_msg(zed_t) miscfiles_read_localization(zed_t) udev_search_runtime(zed_t) +zfs_rw_zpool_cache(zed_t) + ######################################## # # zfs local policy # -allow zfs_t self:process getsched; -allow zfs_t self:capability sys_admin; +allow zfs_t self:process { getsched signull }; +allow zfs_t self:capability { sys_admin sys_rawio }; allow zfs_t self:fifo_file rw_fifo_file_perms; list_dirs_pattern(zfs_t, zfs_config_t, zfs_config_t) read_files_pattern(zfs_t, zfs_config_t, zfs_config_t) read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t) +manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t) +files_runtime_filetrans(zfs_t, zfs_runtime_t, file) + # to execute scripts in /usr/libexec/zfs corecmd_exec_bin(zfs_t) corecmd_exec_shell(zfs_t) +dev_delete_generic_symlinks(zfs_t) +dev_getattr_sysfs(zfs_t) dev_read_sysfs(zfs_t) domain_use_interactive_fds(zfs_t) @@ -104,6 +114,8 @@ kernel_read_kernel_sysctls(zfs_t) storage_raw_rw_fixed_disk(zfs_t) +udev_read_runtime_files(zfs_t) + miscfiles_read_localization(zfs_t) auth_use_nsswitch(zfs_t) @@ -112,9 +124,38 @@ mount_exec(zfs_t) userdom_use_user_terminals(zfs_t) +zfs_rw_zpool_cache(zfs_t) + optional_policy(` kernel_rw_rpc_sysctls(zfs_t) rpc_manage_nfs_state_data(zfs_t) rpc_read_exports(zfs_t) ') + +####################################### +# +# Mail local policy +# + +optional_policy(` + mta_base_mail_template(zed) + role system_r types zed_mail_t; + + allow zed_mail_t zed_t:fd use; + allow zed_mail_t zed_t:fifo_file rw_fifo_file_perms; + allow zed_mail_t zed_t:process sigchld; + + manage_dirs_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t) + manage_files_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t) + files_tmp_filetrans(zed_t, zed_mail_tmp_t, { dir file }) + + allow zfs_t zed_mail_tmp_t:file write_file_perms; + + mta_sendmail_domtrans(zed_t, zed_mail_t) + + allow zed_mail_t self:capability { dac_override dac_read_search }; + + storage_dontaudit_read_fixed_disk(zed_mail_t) + storage_dontaudit_write_fixed_disk(zed_mail_t) +')