From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D151C15812D for ; Mon, 06 Jan 2025 21:08:32 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 45A18E07A9; Mon, 06 Jan 2025 21:08:31 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 89608E07BA for ; Mon, 06 Jan 2025 21:08:30 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C89D1340BE2 for ; Mon, 06 Jan 2025 21:08:29 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 33A921D3B for ; Mon, 06 Jan 2025 21:08:28 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1736197689.42fb434d46f64e73d5458ea4b444db1f80ee5ed3.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/zfs.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: 42fb434d46f64e73d5458ea4b444db1f80ee5ed3 X-VCS-Branch: master Date: Mon, 06 Jan 2025 21:08:28 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: f9d1cf92-2348-431f-a131-725eca800dc8 X-Archives-Hash: a4133f50758d52852075477be5166ae8 commit: 42fb434d46f64e73d5458ea4b444db1f80ee5ed3 Author: Marc Schiffbauer gentoo org> AuthorDate: Wed Dec 4 21:40:25 2024 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Mon Jan 6 21:08:09 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42fb434d services/zfs: allow auto-snapshots being created via systemd-timer for reading compatibility file /usr/share/zfs/compatibility.d/openzfs-2.2 -rw-r--r--. 1 root root system_u:object_r:usr_t:s0 584 30. Aug 01:15 /usr/share/zfs/compatibility.d/openzfs-2.2 files_read_usr_files(zfs_t) files_mmap_read_usr_files(zfs_t) auto-snapshots through systemd-timer not working without this: scontext="system_u:system_r:zfs_t:s0" tcontext="system_u:object_r:zfs_exec_t:s0" class="file" perms="execute_no_trans" comm="env" exe="" path="" message="type=AVC msg=audit(1726998333.913:106): avc: denied { execute_no_trans } for pid=1708 comm="env" path="/usr/bin/zpool" dev="zfs" ino=405615 scontext=system_u:system_r:zfs_t:s0 tcontext=system_u:object_r:zfs_exec_t:s0 tclass=file permissive=0 " allow zfs_t zfs_exec_t:file execute_no_trans; Signed-off-by: Marc Schiffbauer gentoo.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/zfs.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te index 57dbe0582..68ce14c76 100644 --- a/policy/modules/services/zfs.te +++ b/policy/modules/services/zfs.te @@ -135,6 +135,13 @@ userdom_use_user_terminals(zfs_t) zfs_rw_zpool_cache(zfs_t) +# for reading compatibility file in /usr/share/zfs/compatibility.d/ +files_read_usr_files(zfs_t) +files_mmap_read_usr_files(zfs_t) + +# auto-snapshots through systemd-timer not working without this +allow zfs_t zfs_exec_t:file execute_no_trans; + optional_policy(` fstools_manage_runtime_files(zfs_t) fstools_runtime_filetrans(zfs_t, dir, "blkid")