services/zfs: allow auto-snapshots being created via systemd-timer

for reading compatibility file /usr/share/zfs/compatibility.d/openzfs-2.2 -rw-r--r--. 1 root root system_u:object_r:usr_t:s0 584 30. Aug 01:15 /usr/share/zfs/compatibility.d/openzfs-2.2 files_read_usr_files(zfs_t) files_mmap_read_usr_files(zfs_t) auto-snapshots through systemd-timer not working without this: scontext="system_u:system_r:zfs_t:s0" tcontext="system_u:object_r:zfs_exec_t:s0" class="file" perms="execute_no_trans" comm="env" exe="" path="" message="type=AVC msg=audit(1726998333.913:106): avc: denied { execute_no_trans } for pid=1708 comm="env" path="/usr/bin/zpool" dev="zfs" ino=405615 scontext=system_u:system_r:zfs_t:s0 tcontext=system_u:object_r:zfs_exec_t:s0 tclass=file permissive=0 " allow zfs_t zfs_exec_t:file execute_no_trans; Signed-off-by: Marc Schiffbauer <[email protected]>
gentoo · Dec 4, 2024 · 030b369 · 030b369
1 parent a37bce2
commit 030b369
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
@@ -135,6 +135,13 @@ userdom_use_user_terminals(zfs_t)
 
 zfs_rw_zpool_cache(zfs_t)
 
+# for reading compatibility file in /usr/share/zfs/compatibility.d/
+files_read_usr_files(zfs_t)
+files_mmap_read_usr_files(zfs_t)
+
+# auto-snapshots through systemd-timer not working without this
+allow zfs_t zfs_exec_t:file execute_no_trans;
+
 optional_policy(`
 	fstools_manage_runtime_files(zfs_t)
 	fstools_runtime_filetrans(zfs_t, dir, "blkid")