Add zfs selinux rules for unmounting snapshots

twiest · Aug 6, 2023 · 89c8cba · 89c8cba
1 parent 9dede94
commit 89c8cba
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 32 deletions.
diff --git a/silverblue-zfs-base/files/build.sh b/silverblue-zfs-base/files/build.sh
@@ -4,9 +4,9 @@ set -eou pipefail
 
 cd "$(dirname $0)"
 
-[ -f "twiest-zfs-snapshot-mount.pp.bz2" ] && rm twiest-zfs-snapshot-mount.pp.bz2
-[ -f "twiest-zfs-snapshot-mount.te" ] && rm twiest-zfs-snapshot-mount.te
+[ -f "twiest-zfs.pp.bz2" ] && rm twiest-zfs.pp.bz2
+[ -f "twiest-zfs.te" ] && rm twiest-zfs.te
 
-cat twiest-zfs-snapshot-mount---audit.log | audit2allow -M twiest-zfs-snapshot-mount
+cat twiest-zfs---audit.log | audit2allow -M twiest-zfs
 
-bzip2 twiest-zfs-snapshot-mount.pp
+bzip2 twiest-zfs.pp
diff --git a/...les/twiest-zfs-snapshot-mount---audit.log → ...lue-zfs-base/files/twiest-zfs---audit.log b/...les/twiest-zfs-snapshot-mount---audit.log → ...lue-zfs-base/files/twiest-zfs---audit.log
@@ -15,3 +15,12 @@ type=AVC msg=audit(1691269134.772:243): avc:  denied  { ioctl } for  pid=2138606
 type=AVC msg=audit(1691269157.714:246): avc:  denied  { mounton } for  pid=2174352 comm="mount.zfs" path="/var/mnt/hddpool/hobby/.zfs/snapshot/2023-08-05-16.22---borg-backup-snap" dev="zfs" ino=281474976710645 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
 type=AVC msg=audit(1691269176.604:248): avc:  denied  { sys_admin } for  pid=2204191 comm="mount.zfs" capability=21  scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=capability permissive=0
 type=AVC msg=audit(1691269193.977:250): avc:  denied  { mount } for  pid=2231287 comm="mount.zfs" name="/" dev="zfs" ino=34 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
+
+
+type=AVC msg=audit(1691337356.768:194): avc:  denied  { read } for  pid=3873 comm="exportfs" name="net" dev="proc" ino=4026531845 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=0
+type=AVC msg=audit(1691337356.768:195): avc:  denied  { read } for  pid=3873 comm="exportfs" name="net" dev="proc" ino=4026531845 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=0
+type=AVC msg=audit(1691337356.768:196): avc:  denied  { read } for  pid=3873 comm="exportfs" name="net" dev="proc" ino=4026531845 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=0
+type=AVC msg=audit(1691337356.768:197): avc:  denied  { read } for  pid=3873 comm="exportfs" name="net" dev="proc" ino=4026531845 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=0
+type=AVC msg=audit(1691337356.771:198): avc:  denied  { getattr } for  pid=3874 comm="umount" path="/var/mnt/hddpool/hobby/.zfs/snapshot/2023-08-05-16.22---borg-backup-snap" dev="zfs" ino=34 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
+type=AVC msg=audit(1691337356.771:199): avc:  denied  { search } for  pid=3874 comm="umount" name="mount" dev="tmpfs" ino=555 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=0
+type=AVC msg=audit(1691337356.771:200): avc:  denied  { unmount } for  pid=3874 comm="umount" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
diff --git a/silverblue-zfs-base/files/twiest-zfs-snapshot-mount.pp.bz2 b/silverblue-zfs-base/files/twiest-zfs-snapshot-mount.pp.bz2
diff --git a/silverblue-zfs-base/files/twiest-zfs-snapshot-mount.te b/silverblue-zfs-base/files/twiest-zfs-snapshot-mount.te
diff --git a/silverblue-zfs-base/files/twiest-zfs.pp.bz2 b/silverblue-zfs-base/files/twiest-zfs.pp.bz2
diff --git a/silverblue-zfs-base/files/twiest-zfs.te b/silverblue-zfs-base/files/twiest-zfs.te
@@ -0,0 +1,46 @@
+
+module twiest-zfs 1.0;
+
+require {
+	type proc_net_t;
+	type unlabeled_t;
+	type device_t;
+	type mnt_t;
+	type fs_t;
+	type kernel_generic_helper_t;
+	type mount_exec_t;
+	type mount_var_run_t;
+	class file { execute execute_no_trans getattr map open read };
+	class lnk_file read;
+	class dir { getattr mounton search };
+	class capability { setgid setuid sys_admin };
+	class chr_file { ioctl open read write };
+	class filesystem { mount unmount };
+}
+
+#============= kernel_generic_helper_t ==============
+
+#!!!! This avc is allowed in the current policy
+#!!!! This av rule may have been overridden by an extended permission av rule
+allow kernel_generic_helper_t device_t:chr_file { ioctl open read write };
+
+#!!!! This avc is allowed in the current policy
+allow kernel_generic_helper_t fs_t:filesystem { mount unmount };
+
+#!!!! This avc is allowed in the current policy
+allow kernel_generic_helper_t mnt_t:lnk_file read;
+
+#!!!! This avc is allowed in the current policy
+allow kernel_generic_helper_t mount_exec_t:file { execute execute_no_trans getattr map open read };
+
+#!!!! This avc is allowed in the current policy
+allow kernel_generic_helper_t mount_var_run_t:dir search;
+
+#!!!! This avc is allowed in the current policy
+allow kernel_generic_helper_t proc_net_t:lnk_file read;
+
+#!!!! This avc is allowed in the current policy
+allow kernel_generic_helper_t self:capability { setgid setuid sys_admin };
+
+#!!!! This avc is allowed in the current policy
+allow kernel_generic_helper_t unlabeled_t:dir { getattr mounton search };