From: dominick.grift@gmail.com (grift) Date: Tue, 01 Jan 2013 11:43:47 +0100 Subject: [refpolicy] [PATCH 05/12] Allow rpc admin to run exportfs In-Reply-To: <1356994351-29191-6-git-send-email-sven.vermeulen@siphos.be> References: <1356994351-29191-1-git-send-email-sven.vermeulen@siphos.be> <1356994351-29191-6-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1357037027.2088.11.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote: > Running exportfs gives a failure:: > > exportfs: /proc/fs/nfs/exports:2: unknown keyword > "uuid=98e15bcc:25161082:00000000:00000000" > > A related denial:: > > Dec 19 14:42:24 hpl kernel: [21543.035535] type=1400 audit(1355924544.121:1506): > avc: denied { search } for pid=4139 comm="exportfs" name="/" dev="nfsd" ino=1 > scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:nfsd_fs_t > tclass=dir > > Granting fs_search_nfsd_t() provides what is needed to handle this properly. > This should probably just go into the sysadm policy instead of this interface you probably should not test these interfaces with sysadm because sysadm already have a lot of privileges so chances are that this will not work or be enough with for example a nfsadm_r role I merged it nevertheless but please keep that in mind next time, thanks > Signed-off-by: Sven Vermeulen > --- > rpc.if | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/rpc.if b/rpc.if > index 694e1e8..3bd6446 100644 > --- a/rpc.if > +++ b/rpc.if > @@ -415,4 +415,6 @@ interface(`rpc_admin',` > > files_list_tmp($1) > admin_pattern($1, gssd_tmp_t) > + > + fs_search_nfsd_fs($1) > ')