| Summary: | sec-policy/selinux-zfs: missing allow rule on zfs compatibility file | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Marc Schiffbauer <mschiff> |
| Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | gentoo |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
If you have set a compatibility property on a zfs pool, it needs read access to the configured compatibilty file like: # ls -lZ /usr/share/zfs/compatibility.d/openzfs-2.2-linux /usr/share/zfs/compatibility.d/openzfs-2.2 -rw-r--r--. 1 root root system_u:object_r:usr_t 584 Jan 11 03:05 /usr/share/zfs/compatibility.d/openzfs-2.2 lrwxrwxrwx. 1 root root system_u:object_r:usr_t 11 Jan 11 03:05 /usr/share/zfs/compatibility.d/openzfs-2.2-linux -> openzfs-2.2 This fixed it for me (requires reading symlinks and mmapping regular files): gen_require(` type zfs_t; type usr_t; ') # for reading compatibility file read_lnk_files_pattern(zfs_t,usr_t,usr_t) mmap_read_files_pattern(zfs_t,usr_t,usr_t)