summaryrefslogtreecommitdiffstats
path: root/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch')
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch77
1 files changed, 0 insertions, 77 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch b/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
deleted file mode 100644
index 78a4328..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
+++ /dev/null
@@ -1,77 +0,0 @@
1From f24c277f622d1ae72275525c6d5863f1ddce1d58 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 12:01:53 +0800
4Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount
5 nfsd_fs_t.
6
7Upstream-Status: Pending
8
9Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
11---
12 policy/modules/kernel/filesystem.te | 1 +
13 policy/modules/kernel/kernel.te | 2 ++
14 policy/modules/services/rpc.te | 5 +++++
15 policy/modules/services/rpcbind.te | 5 +++++
16 4 files changed, 13 insertions(+)
17
18diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
19index 41037951..b341ba83 100644
20--- a/policy/modules/kernel/filesystem.te
21+++ b/policy/modules/kernel/filesystem.te
22@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
23
24 type nfsd_fs_t;
25 fs_type(nfsd_fs_t)
26+files_mountpoint(nfsd_fs_t)
27 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
28
29 type nsfs_t;
30diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
31index 8e958074..7b81c732 100644
32--- a/policy/modules/kernel/kernel.te
33+++ b/policy/modules/kernel/kernel.te
34@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t)
35 mls_process_write_all_levels(kernel_t)
36 mls_file_write_all_levels(kernel_t)
37 mls_file_read_all_levels(kernel_t)
38+mls_socket_write_all_levels(kernel_t)
39+mls_fd_use_all_levels(kernel_t)
40
41 ifdef(`distro_redhat',`
42 # Bugzilla 222337
43diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
44index d4209231..a2327b44 100644
45--- a/policy/modules/services/rpc.te
46+++ b/policy/modules/services/rpc.te
47@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',`
48
49 optional_policy(`
50 mount_exec(nfsd_t)
51+ # Should domtrans to mount_t while mounting nfsd_fs_t.
52+ mount_domtrans(nfsd_t)
53+ # nfsd_t need to chdir to /var/lib/nfs and read files.
54+ files_list_var(nfsd_t)
55+ rpc_read_nfs_state_data(nfsd_t)
56 ')
57
58 ########################################
59diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
60index 5914af99..2055c114 100644
61--- a/policy/modules/services/rpcbind.te
62+++ b/policy/modules/services/rpcbind.te
63@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t)
64
65 miscfiles_read_localization(rpcbind_t)
66
67+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
68+# because the are running in different level. So add rules to allow this.
69+mls_socket_read_all_levels(rpcbind_t)
70+mls_socket_write_all_levels(rpcbind_t)
71+
72 ifdef(`distro_debian',`
73 term_dontaudit_use_unallocated_ttys(rpcbind_t)
74 ')
75--
762.19.1
77
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-09 18:26:12 +0000