Bug 1788542

Description of problem:

ganesha's current targeted policy was originally taken from rhel which was written for ganesha running as part of downstream RHGS (gluster).

Now we are seeing more people running ganesha's FSAL_VFS using local disk as backing store instead of Gluster and are seeing AVC denials during its start-up when it scans all the local file systems. This is a necessary step that is required to implement NFSv4's Pseudo feature.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

ganesha's current selinux policy files can be found at 
https://github.com/nfs-ganesha/nfs-ganesha/tree/next/src/selinux

audit2allow output:

$ cat /tmp/audit2allow.out 


#============= ganesha_t ==============
allow ganesha_t apm_bios_t:chr_file getattr;
allow ganesha_t autofs_device_t:chr_file getattr;
allow ganesha_t bpf_t:dir getattr;
allow ganesha_t bpf_t:filesystem getattr;
allow ganesha_t cgroup_t:dir getattr;
allow ganesha_t cgroup_t:filesystem getattr;
allow ganesha_t clock_device_t:chr_file getattr;
allow ganesha_t configfs_t:dir getattr;
allow ganesha_t configfs_t:filesystem getattr;
allow ganesha_t cpu_device_t:chr_file getattr;
allow ganesha_t debugfs_t:filesystem getattr;
allow ganesha_t device_t:chr_file getattr;
allow ganesha_t device_t:filesystem getattr;
allow ganesha_t devpts_t:filesystem getattr;
allow ganesha_t dri_device_t:chr_file getattr;
allow ganesha_t event_device_t:chr_file getattr;
allow ganesha_t fixed_disk_device_t:blk_file { getattr ioctl open read };
allow ganesha_t fixed_disk_device_t:chr_file getattr;
allow ganesha_t framebuf_device_t:chr_file getattr;
allow ganesha_t fs_t:filesystem getattr;
allow ganesha_t hugetlbfs_t:dir { getattr open read };
allow ganesha_t hugetlbfs_t:filesystem getattr;
allow ganesha_t initctl_t:fifo_file getattr;

#!!!! This avc can be allowed using the boolean 'domain_can_write_kmsg'
allow ganesha_t kmsg_device_t:chr_file getattr;
allow ganesha_t kvm_device_t:chr_file getattr;
allow ganesha_t lvm_control_t:chr_file getattr;
allow ganesha_t memory_device_t:chr_file getattr;
allow ganesha_t mouse_device_t:chr_file getattr;
allow ganesha_t netcontrol_device_t:chr_file getattr;
allow ganesha_t nvram_device_t:chr_file getattr;
allow ganesha_t proc_kcore_t:file getattr;
allow ganesha_t proc_t:filesystem getattr;
allow ganesha_t pstore_t:dir getattr;
allow ganesha_t pstore_t:filesystem getattr;
allow ganesha_t ptmx_t:chr_file getattr;
allow ganesha_t removable_device_t:blk_file getattr;
allow ganesha_t rpc_pipefs_t:dir getattr;
allow ganesha_t rpc_pipefs_t:filesystem getattr;
allow ganesha_t scsi_generic_device_t:chr_file getattr;
allow ganesha_t sound_device_t:chr_file getattr;
allow ganesha_t sysfs_t:dir read;
allow ganesha_t sysfs_t:file { getattr open read };
allow ganesha_t sysfs_t:filesystem getattr;
allow ganesha_t sysfs_t:lnk_file read;
allow ganesha_t tmpfs_t:dir read;
allow ganesha_t tmpfs_t:filesystem getattr;
allow ganesha_t usb_device_t:chr_file getattr;
allow ganesha_t usbmon_device_t:chr_file getattr;
allow ganesha_t virtio_device_t:chr_file getattr;
allow ganesha_t watchdog_device_t:chr_file getattr;
allow ganesha_t xserver_misc_device_t:chr_file getattr;

#============= init_t ==============
allow init_t ganesha_var_log_t:dir setattr;
allow init_t var_lib_nfs_t:dir create;

#============= rpcbind_t ==============

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow rpcbind_t unreserved_port_t:udp_socket name_bind;