commit: 42fb434d46f64e73d5458ea4b444db1f80ee5ed3
Author: Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 4 21:40:25 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jan 6 21:08:09 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42fb434d
services/zfs: allow auto-snapshots being created via systemd-timer
for reading compatibility file /usr/share/zfs/compatibility.d/openzfs-2.2
-rw-r--r--. 1 root root system_u:object_r:usr_t:s0 584 30. Aug 01:15
/usr/share/zfs/compatibility.d/openzfs-2.2
files_read_usr_files(zfs_t)
files_mmap_read_usr_files(zfs_t)
auto-snapshots through systemd-timer not working without this:
scontext="system_u:system_r:zfs_t:s0"
tcontext="system_u:object_r:zfs_exec_t:s0"
class="file" perms="execute_no_trans"
comm="env" exe="" path=""
message="type=AVC msg=audit(1726998333.913:106): avc: denied {
execute_no_trans } for pid=1708 comm="env" path="/usr/bin/zpool" dev="zfs"
ino=405615 scontext=system_u:system_r:zfs_t:s0
tcontext=system_u:object_r:zfs_exec_t:s0 tclass=file permissive=0 "
allow zfs_t zfs_exec_t:file execute_no_trans;
Signed-off-by: Marc Schiffbauer <mschiff <AT> gentoo.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/zfs.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index 57dbe0582..68ce14c76 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -135,6 +135,13 @@ userdom_use_user_terminals(zfs_t)
zfs_rw_zpool_cache(zfs_t)
+# for reading compatibility file in /usr/share/zfs/compatibility.d/
+files_read_usr_files(zfs_t)
+files_mmap_read_usr_files(zfs_t)
+
+# auto-snapshots through systemd-timer not working without this
+allow zfs_t zfs_exec_t:file execute_no_trans;
+
optional_policy(`
fstools_manage_runtime_files(zfs_t)
fstools_runtime_filetrans(zfs_t, dir, "blkid")
