From 030b369999cf8f8772191bb6ebefa8908584c3a1 Mon Sep 17 00:00:00 2001 From: Marc Schiffbauer Date: Wed, 4 Dec 2024 22:40:25 +0100 Subject: [PATCH] services/zfs: allow auto-snapshots being created via systemd-timer for reading compatibility file /usr/share/zfs/compatibility.d/openzfs-2.2 -rw-r--r--. 1 root root system_u:object_r:usr_t:s0 584 30. Aug 01:15 /usr/share/zfs/compatibility.d/openzfs-2.2 files_read_usr_files(zfs_t) files_mmap_read_usr_files(zfs_t) auto-snapshots through systemd-timer not working without this: scontext="system_u:system_r:zfs_t:s0" tcontext="system_u:object_r:zfs_exec_t:s0" class="file" perms="execute_no_trans" comm="env" exe="" path="" message="type=AVC msg=audit(1726998333.913:106): avc: denied { execute_no_trans } for pid=1708 comm="env" path="/usr/bin/zpool" dev="zfs" ino=405615 scontext=system_u:system_r:zfs_t:s0 tcontext=system_u:object_r:zfs_exec_t:s0 tclass=file permissive=0 " allow zfs_t zfs_exec_t:file execute_no_trans; Signed-off-by: Marc Schiffbauer --- policy/modules/services/zfs.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te index 57dbe0582..68ce14c76 100644 --- a/policy/modules/services/zfs.te +++ b/policy/modules/services/zfs.te @@ -135,6 +135,13 @@ userdom_use_user_terminals(zfs_t) zfs_rw_zpool_cache(zfs_t) +# for reading compatibility file in /usr/share/zfs/compatibility.d/ +files_read_usr_files(zfs_t) +files_mmap_read_usr_files(zfs_t) + +# auto-snapshots through systemd-timer not working without this +allow zfs_t zfs_exec_t:file execute_no_trans; + optional_policy(` fstools_manage_runtime_files(zfs_t) fstools_runtime_filetrans(zfs_t, dir, "blkid")