* [refpolicy] [PATCH 0/2] Support NFS over TCP
@ 2011-07-20 21:10 Sven Vermeulen
2011-07-20 21:12 ` [refpolicy] [PATCH 1/2] Create interface for NFS/RPC TCP access Sven Vermeulen
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-07-20 21:10 UTC (permalink / raw)
To: refpolicy
The current policies only support NFS over UDP. When mounting NFS locations
with TCP, we notice that the kernel_t domain has no access to the NFS
tcp_sockets.
These simple patches add an rpc_tcp_rw_nfs_socket() interface and then call
it from the kernel_t definition.
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 4+ messages in thread* [refpolicy] [PATCH 1/2] Create interface for NFS/RPC TCP access
2011-07-20 21:10 [refpolicy] [PATCH 0/2] Support NFS over TCP Sven Vermeulen
@ 2011-07-20 21:12 ` Sven Vermeulen
2011-07-20 21:12 ` [refpolicy] [PATCH 2/2] Allow kernel to access NFS/RPC TCP Sven Vermeulen
2011-07-22 11:18 ` [refpolicy] [PATCH 0/2] Support NFS over TCP Christopher J. PeBenito
2 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-07-20 21:12 UTC (permalink / raw)
To: refpolicy
Create the rpc_tcp_rw_nfs_sockets() interface, allowing for the calling
domain to access the tcp_sockets managed by nfsd_t.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/rpc.if | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index cda37bb..dddabcf 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -329,6 +329,24 @@ interface(`rpc_manage_nfs_ro_content',`
########################################
## <summary>
+## Allow domain to read and write to an NFS TCP socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_tcp_rw_nfs_sockets',`
+ gen_require(`
+ type nfsd_t;
+ ')
+
+ allow $1 nfsd_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
## Allow domain to read and write to an NFS UDP socket.
## </summary>
## <param name="domain">
--
1.7.3.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 2/2] Allow kernel to access NFS/RPC TCP
2011-07-20 21:10 [refpolicy] [PATCH 0/2] Support NFS over TCP Sven Vermeulen
2011-07-20 21:12 ` [refpolicy] [PATCH 1/2] Create interface for NFS/RPC TCP access Sven Vermeulen
@ 2011-07-20 21:12 ` Sven Vermeulen
2011-07-22 11:18 ` [refpolicy] [PATCH 0/2] Support NFS over TCP Christopher J. PeBenito
2 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-07-20 21:12 UTC (permalink / raw)
To: refpolicy
Allow kernel_t to access the nfsd_t' tcp_sockets.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/kernel.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 41357ac..fecbfcc 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -326,6 +326,7 @@ optional_policy(`
rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t)
+ rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
--
1.7.3.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 0/2] Support NFS over TCP
2011-07-20 21:10 [refpolicy] [PATCH 0/2] Support NFS over TCP Sven Vermeulen
2011-07-20 21:12 ` [refpolicy] [PATCH 1/2] Create interface for NFS/RPC TCP access Sven Vermeulen
2011-07-20 21:12 ` [refpolicy] [PATCH 2/2] Allow kernel to access NFS/RPC TCP Sven Vermeulen
@ 2011-07-22 11:18 ` Christopher J. PeBenito
2 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2011-07-22 11:18 UTC (permalink / raw)
To: refpolicy
On 07/20/11 17:10, Sven Vermeulen wrote:
> The current policies only support NFS over UDP. When mounting NFS locations
> with TCP, we notice that the kernel_t domain has no access to the NFS
> tcp_sockets.
>
> These simple patches add an rpc_tcp_rw_nfs_socket() interface and then call
> it from the kernel_t definition.
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-07-22 11:18 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-20 21:10 [refpolicy] [PATCH 0/2] Support NFS over TCP Sven Vermeulen
2011-07-20 21:12 ` [refpolicy] [PATCH 1/2] Create interface for NFS/RPC TCP access Sven Vermeulen
2011-07-20 21:12 ` [refpolicy] [PATCH 2/2] Allow kernel to access NFS/RPC TCP Sven Vermeulen
2011-07-22 11:18 ` [refpolicy] [PATCH 0/2] Support NFS over TCP Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.