2011-07-20 21:10:50

by sven.vermeulen

Subject: [refpolicy] [PATCH 0/2] Support NFS over TCP

The current policies only support NFS over UDP. When mounting NFS locations
with TCP, we notice that the kernel_t domain has no access to the NFS
tcp_sockets.

These simple patches add an rpc_tcp_rw_nfs_socket() interface and then call
it from the kernel_t definition.

Wkr,
Sven Vermeulen

2011-07-20 21:12:18

by sven.vermeulen

Subject: [refpolicy] [PATCH 1/2] Create interface for NFS/RPC TCP access

Create the rpc_tcp_rw_nfs_sockets() interface, allowing for the calling
domain to access the tcp_sockets managed by nfsd_t.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/rpc.if | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index cda37bb..dddabcf 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -329,6 +329,24 @@ interface(`rpc_manage_nfs_ro_content',`

########################################
## <summary>
+## Allow domain to read and write to an NFS TCP socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_tcp_rw_nfs_sockets',`
+ gen_require(`
+ type nfsd_t;
+ ')
+
+ allow $1 nfsd_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
## Allow domain to read and write to an NFS UDP socket.
## </summary>
## <param name="domain">
--
1.7.3.4

2011-07-20 21:12:52

by sven.vermeulen

Subject: [refpolicy] [PATCH 2/2] Allow kernel to access NFS/RPC TCP

Allow kernel_t to access the nfsd_t' tcp_sockets.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/kernel.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 41357ac..fecbfcc 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -326,6 +326,7 @@ optional_policy(`

rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t)
+ rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)

tunable_policy(`nfs_export_all_ro',`
--
1.7.3.4

2011-07-22 11:18:47

by cpebenito

Subject: [refpolicy] [PATCH 0/2] Support NFS over TCP

On 07/20/11 17:10, Sven Vermeulen wrote:
> The current policies only support NFS over UDP. When mounting NFS locations
> with TCP, we notice that the kernel_t domain has no access to the NFS
> tcp_sockets.
>
> These simple patches add an rpc_tcp_rw_nfs_socket() interface and then call
> it from the kernel_t definition.

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com