[PATCH] blkmapd

Russell Coker <russell@xxxxxxxxxxxx> · Sun, 14 Feb 2021 14:58:00 +1100

Patch for the blkmapd daemon that's part of the NFS server.

I think this is ready for mergikng.

Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>

Index: refpolicy-2.20210203/policy/modules/services/rpc.fc
===================================================================

--- refpolicy-2.20210203.orig/policy/modules/services/rpc.fc
+++ refpolicy-2.20210203/policy/modules/services/rpc.fc
@@ -16,6 +16,7 @@
 /usr/lib/systemd/system/nfs.*\.service --   gen_context(system_u:object_r:nfsd_unit_t,s0)
 /usr/lib/systemd/system/rpc.*\.service --   gen_context(system_u:object_r:rpcd_unit_t,s0)
 
+/usr/sbin/blkmapd	--	gen_context(system_u:object_r:blkmapd_exec_t,s0)
 /usr/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
@@ -27,6 +28,7 @@
 
 /var/lib/nfs(/.*)?	gen_context(system_u:object_r:var_lib_nfs_t,s0)
 
+/run/blkmapd\.pid	--	gen_context(system_u:object_r:rpcd_runtime_t,s0)
 /run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_runtime_t,s0)
 /run/rpc\.statd\.pid	--	gen_context(system_u:object_r:rpcd_runtime_t,s0)
 /run/sm-notify\.pid	--	gen_context(system_u:object_r:rpcd_runtime_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/rpc.te
+++ refpolicy-2.20210203/policy/modules/services/rpc.te
@@ -72,6 +72,14 @@ init_unit_file(nfsd_unit_t)
 type var_lib_nfs_t;
 files_mountpoint(var_lib_nfs_t)
 
+rpc_domain_template(blkmapd)
+
+type blkmapd_runtime_t;
+files_runtime_file(blkmapd_runtime_t)
+files_runtime_filetrans(blkmapd_t, blkmapd_runtime_t, file, "blkmapd.pid")
+allow blkmapd_t blkmapd_runtime_t:file manage_file_perms;
+
+
 ########################################
 #
 # Common rpc domain local policy
@@ -279,6 +287,17 @@ optional_policy(`
 
 ########################################
 #
+# BLKMAPD local policy
+#
+
+allow blkmapd_t self:capability sys_rawio;
+allow blkmapd_t self:unix_dgram_socket create_socket_perms;
+
+fs_list_rpc(blkmapd_t)
+storage_raw_read_fixed_disk(blkmapd_t)
+
+########################################
+#
 # GSSD local policy
 #
 






