Confine nfs-server generator

zpytela · zpytela · commit 1743bb4fbad4 · 2025-07-18T11:42:52.000+02:00
diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
@@ -10,8 +10,6 @@
 /usr/lib/systemd/system/nfs.* 		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)
 /usr/lib/systemd/system/rpc.* 		--	gen_context(system_u:object_r:rpcd_unit_file_t,s0)
 
-/usr/lib/systemd/system-generators/nfs.* 		--	gen_context(system_u:object_r:nfsd_exec_t,s0)
-
 #
 # /usr
 #
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
@@ -295,11 +295,6 @@ fs_manage_nfsd_fs(nfsd_t)
 storage_raw_read_fixed_disk(nfsd_t)
 storage_raw_read_removable_device(nfsd_t)
 
-allow nfsd_t nfsd_unit_file_t:file manage_file_perms;
-systemd_unit_file_filetrans(nfsd_t, nfsd_unit_file_t, file)
-systemd_create_unit_file_dirs(nfsd_t)
-systemd_create_unit_file_lnk(nfsd_t)
-
 # Read access to public_content_t and public_content_rw_t
 miscfiles_read_public_files(nfsd_t)
 
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
@@ -81,6 +81,9 @@ HOME_DIR/\.config/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_unit
 /usr/lib/systemd/systemd-network-generator	--	gen_context(system_u:object_r:systemd_network_generator_exec_t,s0)
 
 /usr/lib/systemd/system-generators/bootc-systemd-generator	--	gen_context(system_u:object_r:systemd_bootc_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/nfsroot-generator	--	gen_context(system_u:object_r:systemd_nfs_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/nfs-server-generator	--	gen_context(system_u:object_r:systemd_nfs_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/rpc-pipefs-generator	--	gen_context(system_u:object_r:systemd_nfs_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-bless-boot-generator	--	gen_context(system_u:object_r:systemd_bless_boot_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-cryptsetup-generator	--	gen_context(system_u:object_r:systemd_cryptsetup_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-debug-generator	--	gen_context(system_u:object_r:systemd_debug_generator_exec_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -220,6 +220,8 @@ systemd_generator_template(systemd_getty_generator)
 systemd_generator_template(systemd_gpt_generator)
 # import-generator
 systemd_generator_template(systemd_import_generator)
+# nfs generator
+systemd_generator_template(systemd_nfs_generator)
 # rc-local-generator
 systemd_generator_template(systemd_rc_local_generator)
 # ssh-generator
@@ -1466,6 +1468,14 @@ optional_policy(`
 	udev_read_pid_files(systemd_gpt_generator_t)
 ')
 
+### nfs generator
+permissive systemd_nfs_generator_t;
+
+#allow nfsd_t nfsd_unit_file_t:file manage_file_perms;
+#systemd_unit_file_filetrans(nfsd_t, nfsd_unit_file_t, file)
+#systemd_create_unit_file_dirs(nfsd_t)
+#systemd_create_unit_file_lnk(nfsd_t)
+
 ### systemd rc_local generator
 init_exec_script_files(systemd_rc_local_generator_t)
 

Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,6 @@`
`10`	`10`	`/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)`
`11`	`11`	`/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)`
`12`	`12`
`13`		`-/usr/lib/systemd/system-generators/nfs.* -- gen_context(system_u:object_r:nfsd_exec_t,s0)`
`14`		`-`
`15`	`13`	`#`
`16`	`14`	`# /usr`
`17`	`15`	`#`