-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add zfs selinux rules for unmounting snapshots
- Loading branch information
1 parent
9dede94
commit 89c8cba
Showing
6 changed files
with
59 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
This file was deleted.
Oops, something went wrong.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
|
||
module twiest-zfs 1.0; | ||
|
||
require { | ||
type proc_net_t; | ||
type unlabeled_t; | ||
type device_t; | ||
type mnt_t; | ||
type fs_t; | ||
type kernel_generic_helper_t; | ||
type mount_exec_t; | ||
type mount_var_run_t; | ||
class file { execute execute_no_trans getattr map open read }; | ||
class lnk_file read; | ||
class dir { getattr mounton search }; | ||
class capability { setgid setuid sys_admin }; | ||
class chr_file { ioctl open read write }; | ||
class filesystem { mount unmount }; | ||
} | ||
|
||
#============= kernel_generic_helper_t ============== | ||
|
||
#!!!! This avc is allowed in the current policy | ||
#!!!! This av rule may have been overridden by an extended permission av rule | ||
allow kernel_generic_helper_t device_t:chr_file { ioctl open read write }; | ||
|
||
#!!!! This avc is allowed in the current policy | ||
allow kernel_generic_helper_t fs_t:filesystem { mount unmount }; | ||
|
||
#!!!! This avc is allowed in the current policy | ||
allow kernel_generic_helper_t mnt_t:lnk_file read; | ||
|
||
#!!!! This avc is allowed in the current policy | ||
allow kernel_generic_helper_t mount_exec_t:file { execute execute_no_trans getattr map open read }; | ||
|
||
#!!!! This avc is allowed in the current policy | ||
allow kernel_generic_helper_t mount_var_run_t:dir search; | ||
|
||
#!!!! This avc is allowed in the current policy | ||
allow kernel_generic_helper_t proc_net_t:lnk_file read; | ||
|
||
#!!!! This avc is allowed in the current policy | ||
allow kernel_generic_helper_t self:capability { setgid setuid sys_admin }; | ||
|
||
#!!!! This avc is allowed in the current policy | ||
allow kernel_generic_helper_t unlabeled_t:dir { getattr mounton search }; |